Secure container for protecting enterprise data on a mobile device

ABSTRACT

A system is disclosed that includes components and features for enabling enterprise users to securely access enterprise resources (documents, data, application servers, etc.) using their mobile devices. An enterprise can use some or all components of the system to, for example, securely but flexibly implement a BYOD (bring your own device) policy in which users can run both personal applications and secure enterprise applications on their mobile devices. The system may, for example, implement policies for controlling mobile device accesses to enterprise resources based on device attributes (e.g., what mobile applications are installed), user attributes (e.g., the user&#39;s position or department), behavioral attributes, and other criteria. Client-side code installed on the mobile devices may further enhance security by, for example, creating a secure container for locally storing enterprise data, creating a secure execution environment for running enterprise applications, and/or creating secure application tunnels for communicating with the enterprise system.

INCORPORATION BY REFERENCE

The present application hereby incorporates by reference the entiretechnical disclosures of U.S. Provisional Patent Application Nos.61/546,021, 61/546,922, 61/649,134, and 61/702,671. The presentapplication also hereby incorporates by reference the entire technicaldisclosure of U.S. Pat. No. 7,788,536 to Qureshi et al. (“Qureshi'526”).

BACKGROUND

1. Field

The present application relates generally to mobile computing devices(smartphones, tablets, PDAs, etc.) and associated application programs,and to systems for automated or semi-automated management of devicesused for accessing managed resources of an enterprise.

2. Description of the Related Art

Many enterprises (e.g., corporations, partnerships, academicinstitutions, etc.) maintain enterprise computer networks that allowenterprise users to access enterprise resources, such as hardware andsoftware applications for email, customer relationship management (CRM),document management, enterprise resource planning (ERP), and the like.Also, many enterprises allow users to access the enterprise network viamobile devices, such as smartphones, tablet computers, and the like. Insome cases, software applications running on the mobile devices exchangedata with the enterprise network, some of which can become saved on thememory hardware (e.g., hard drives, SD cards) of the mobile devices.

A growing trend among businesses is to allow employees to use theirpersonally owned mobile devices both to access company resources and theuse and access their personal applications and data. This trend, knownas BYOD (bring your own device) or BYOT (bring your own technology),significantly complicates the task of protecting enterprise resources,including confidential and/or sensitive information.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1A is a schematic illustration of an embodiment of an enterprisecomputer system and mobile computing devices associated with theenterprise.

FIG. 1B is an embodiment similar to FIG. 1A, with the mobile devicemanagement system located in a cloud computing system (“the cloud”).

FIG. 1C is an embodiment similar to FIG. 1A, with the meta-applicationlocated in the cloud.

FIG. 1D is an embodiment similar to FIG. 1A, with the secure mobilegateway located in a firewall.

FIG. 1E is an embodiment similar to FIG. 1A, with the secure mobilegateway located in an enterprise resource.

FIG. 1F illustrates a mobile device screen display which includes aselectable screen element for exposing a user interface for selectingand launching enterprise applications.

FIG. 1G illustrates the user interface for selecting and launchingenterprise applications.

FIG. 2 is a schematic illustration of an embodiment of a mobile devicemanagement system of the enterprise computer system of FIG. 1A.

FIG. 3A is a schematic illustration of an embodiment of a mobile device.

FIG. 3B illustrates security-related components and application that maybe installed on a mobile device.

FIG. 4 is a schematic illustration of an embodiment of a gateway forselectively allowing or denying requests from mobile devices to accessan enterprise computer system.

FIG. 5 is a flowchart illustrating an embodiment of a method in which anenterprise agent of a mobile device redirects a mobile deviceapplication's communications to an enterprise resource through anapplication tunnel.

FIG. 6 is a flowchart illustrating an embodiment of a method in which anenterprise computer system participates in the formation of anapplication tunnel between a mobile device application and an enterpriseresource.

FIG. 7 is a flowchart illustrating an embodiment of a method in which anenterprise computer system regulates access by mobile devices to anenterprise resource.

FIG. 8 is a schematic illustration of an embodiment of a partiallycloud-based meta-application for managing an enterprise computer system,a mobile device management system, and/or a gateway for allowing ordenying requests from mobile devices to access an enterprise computersystem.

FIG. 9 is a flowchart illustrating an embodiment of a method in which amobile device uses encoded rules and remedial actions to detect andaddress security-related or productivity-related problems.

FIG. 10 is a flowchart illustrating an embodiment of a method in which amobile device caches data input by a user in response to a loss of anetwork connection to an enterprise computer system.

FIG. 11 is a flowchart illustrating an embodiment of a method in whichan enterprise computer system caches data to be sent to a mobile devicewhen a network connection to the mobile device is lost.

FIG. 12 is a schematic illustration of an embodiment of a controllercomputer for remotely controlling a mobile device.

FIG. 13 is a flowchart illustrating an embodiment of a method in which acontroller computer participates in a remote control session with amobile device.

FIG. 14 shows an embodiment of a screen display of a controller computerengaged in a remote control session with a mobile device, includingsystem information of the mobile device.

FIG. 15 shows an embodiment of a screen display of a controller computerengaged in a remote control session with a mobile device, includingaccess to a task manager of the mobile device.

FIG. 16 shows an embodiment of a screen display of a controller computerengaged in a remote control session with a mobile device, including aninterface for file transfers between the controller computer and themobile device.

FIG. 17 shows an embodiment of a screen display of a controller computerengaged in a remote control session with a mobile device, including aninterface for editing a registry of the mobile device.

FIG. 18 is a flowchart illustrating an embodiment of a method in which amobile device participates in a remote control session with a controllercomputer.

FIG. 19A shows an embodiment of a screen display of a controllercomputer engaged in a remote control session with a mobile device,including a chat session interface.

FIG. 19B shows an embodiment of a mobile device emulated in FIG. 19A.

FIG. 20 shows an embodiment of a screen display of a controller computerengaged in a remote control session with a mobile device, including ashared whiteboard feature.

FIG. 21 shows an example of data logged by a mobile device gateway,which can be provided to an analytics service, in accordance with oneembodiment.

FIG. 22 shows an example of an interface for configuring criteria underwhich an analytics service sends alerts based on data logged by a mobiledevice gateway.

FIG. 23 illustrates an embodiment of a method by which an analytics ornetwork intelligence service helps to authenticate a user associatedwith a mobile device access request.

FIG. 24 illustrates an embodiment of a software development kit forembedding, e.g., enterprise-protective functionalities into a mobiledevice software application.

FIG. 25 illustrates an embodiment in which an application tunnel iscreated using an agent that runs on a mobile device.

FIG. 26 illustrates a user interface (e.g., web page) for enabling anadministrator to create a tunnel between a mobile device and anapplication server.

FIG. 27 illustrates, for the embodiment of FIG. 25, representativecommunications and events that occur when an application tunnel iscreated between a mobile device and an application server.

FIG. 28 illustrates additional communications and events that occur whenthe application tunnel is set up as a secure application tunnel.

FIG. 29 illustrates an application modification system that enables amobile application's behaviors to be modified without the need for theapplication's source code, and without the need for a programmer orprogramming skills.

FIG. 30 illustrates one embodiment of a process that may be used by thesystem of FIG. 29 to modify a mobile application.

FIG. 31 illustrates representative communications and events that occurwhen a mobile device retrieves a message with an attachment from anenterprise resource according to an embodiment.

FIG. 32 illustrates communications and events that occur when a mobiledevice forwards a message with an attachment according to an embodiment.

FIG. 33 illustrates communications and events that occur when a mobiledevice forwards a message with an attachment according to anotherembodiment.

FIG. 34 is a flowchart illustrating an embodiment of a method ofencrypting an attachment.

FIG. 35 is a flowchart illustrating an embodiment of a method ofdecrypting an attachment.

Reference numerals used in this specification are generally based on thefirst figure (in the above listing) in which the numeral appears. Areference numeral with a value between 100-199 first appears in FIG. 1,a reference numeral with a value between 200-299 first appears in FIG.2, and so on.

Skilled artisans will appreciate that while certain figures of thepresent disclosure illustrate numerous items, these figures illustratecertain embodiments, and other embodiments may involve more or less thanthe items shown.

DETAILED DESCRIPTION OF SPECIFIC EMBODIMENTS

Various inventions and inventive features will now be described withreference to the drawings. As will be recognized, many of the disclosedfeatures and associated components can be used independently of others,and can be implemented differently than described herein. Thus, nothingin this detailed description (or in the preceding background section) isintended to imply that any particular feature, component orcharacteristic of the disclosed systems is essential. Moreover, it willbe understood that headings are provided for convenience and do notnecessarily affect the scope or meaning of the claims.

INTRODUCTION

The architecture described in this specification can be used by acorporation or other enterprise to flexibly implement a policy, such asa corporate owned device, BYOD (bring your own device) policy, forallowing enterprise users to use their mobile devices to securely accessenterprise resources (documents, confidential data, corporateapplication and database servers, etc.). This is accomplished throughvarious security features that, for example, enable the enterprise tospecify and implement policies for controlling mobile device accesses toparticular enterprise resources. The policies may, for example, controlmobile device accesses to enterprise resources based on a variety ofcriteria, such as the role of the respective user (e.g., whichdepartment the user is in), the configuration of the mobile device(e.g., whether any blacklisted mobile applications are installed), thelogged behaviors of the user, the location of the mobile device, and/orthe time at which access to the enterprise resource is requested. Thearchitecture further enhances security, in some embodiments, by creatingapplication tunnels that enable enterprise mobile applications tosecurely communicate over a network with the enterprise system. Thearchitecture may also enable IT staff to selectively (and remotely) wipea user's mobile device of enterprise application(s) and corporate datawhen, for example, the user discontinues employment or violates acorporate policy (such as if they jailbreak their device or otherwiseuse it in a disallowed configuration).

As described in the section titled “Protecting Attachment Data,” thedisclosed architecture may also implement an attachment encryptionpolicy in which encryption is applied to email attachments (orattachments to other types of messages, such as SMS messages) that aresent to mobile devices of enterprise users. This feature reduces thelikelihood that an unauthorized user who obtains access to an enterprisemember's mobile device will be able to access sensitive enterprisedocuments that have been sent between enterprise users as attachments.

The disclosed architecture, in some embodiments, advantageously enablesend users to concurrently run both enterprise mobile applications (thoseconfigured or authorized to access enterprise resources) and personal(non-enterprise) mobile applications on the same mobile device, withoutcompromising security. This may be accomplished in part through mobiledevice software that creates a secure environment or shell in which theenterprise mobile applications can run and store data. This secureenvironment or shell may, for example, prevent the personal applicationsinstalled on a mobile device from accessing the documents and other datastored on the mobile device by the enterprise applications. In someembodiments, a secure launcher that runs on the mobile devices augmentsthe mobile operating system's UI with a UI for launching the enterprisemobile applications installed on the mobile device. When a user launchesan enterprise mobile application, the user may, for example, bepresented with an authentication screen for entering a personal passcodethat is necessary for running the enterprise mobile applications.

The use of passcodes (or other types of authentication information) forenterprise applications reduces the likelihood that enterprise resourceswill be improperly accessed when, for example, the mobile device is lostor stolen, or when the mobile device is used by an employee's childrento play games. In some embodiments, the secure launcher (or anothercomponent installed on the mobile device) further reduces this risk byperforming a selective wipe of the mobile device when, for example, theuser attempts but fails to enter a valid passcode a threshold number ofconsecutive times (e.g., 5 or 10). The selective wipe operation deletessome or all of the enterprise applications and associated data from themobile device, without deleting any personal applications or data. Insome embodiments, the enterprise's IT department can initiate aselective wipe of a particular mobile device by remotely issuing a wipecommand to the device.

The architecture may also support various other types of remedialactions for protecting enterprise resources. One such remedy is to lockthe mobile device, or an enterprise container on the device that storesenterprise data, such that the mobile device or container can only beunlocked with a valid code provided by IT staff. In some embodiments,these and other types of remedies can be invoked automatically based onconditions detected on the mobile device, or can be remotely initiatedby IT staff.

This specification also discloses processes for creating or augmentingmobile applications to enable them to use various enterprise securityfeatures. One such approach is described below under the heading“Modifying Behaviors of Pre-Existing Mobile Applications.” Using thisapproach, an organization can modify existing mobile applications to addvarious security features without the need to access the source code ofsuch applications. The mobile application being modified may, forexample, be a custom enterprise application, or may be a commerciallyavailable mobile application that is being configured for use within theenterprise. Through this process, the preexisting mobile applicationmay, for example, be configured to (a) use application tunnels tocommunicate with the enterprise system, (b) use an encryption library toencrypt the documents and other data it stores on the mobile device, (c)present users with a login or passcode screen when the mobileapplication is launched, (d) disable cut, copy and paste operations, (e)disable offline access, (f) use a particular type of user authenticationmethod, such as posture based authentication, or any combinationthereof. The ability to modify preexisting mobile applications throughthis process gives enterprises greater flexibility in selecting mobileapplications to offer to their members; for example, rather thanrequiring employees to use a custom-developed enterprise application foraccessing cloud-based storage, the enterprise can modify (or havemodified) a popular, commercially-available mobile application withwhich users are already familiar. Further, different versions of a givenapplication (with different authentication methods, encryption levels,etc.) can be created for different types of employees.

Also disclosed are processes for effectively adding enterprise securityfeatures to mobile applications with little or no need to modify theapplication code of such applications. One such approach involves theuse of a secure virtual machine that is separate from the virtualmachine of the mobile device's operating system. The secure virtualmachine implements or provides access to various enterprise securityfeatures (such as application tunnels, data encryption, passcodeprompts, etc.), and these security features are effectively inherited byor imposed upon the mobile applications that run within the securevirtual machine. Enterprise mobile applications may be configured orforced to use the secure virtual machine, while non-enterprise mobileapplications continue to run within the native virtual machine of themobile operating system. This capability gives enterprises additionalfreedom to flexibly select mobile applications to use as enterpriseapplications; for example, through this approach, an enterprise caneffectively configure the mobile devices of users to enable the users touse a popular/familiar mobile application to securely access enterpriseresources.

The use of a secure virtual machine can enable an enterprise to providea higher level of security for running an enterprise application on BYODdevices. For example, by running the application within a secureexecution environment created by the secure virtual machine, acorporation can enforce a separate set of policies for the application,including networking and storage policies.

Another approach, which is described under the heading “Secure WebBrowser,” involves the use of a mobile browser application thatimplements the various enterprise security features. Like the securevirtual machine approach, mobile applications (or web pages accessed bythe browser) that are configured to run within the secure browsereffectively inherit the security mechanisms implemented by the securebrowser. The use of such a secure browser also enables an enterprise toimplement a content filtering policy in which, for example, employeesare blocked from accessing certain web sites from their mobile devices.The secure browser can be used, for example, to enable mobile deviceusers to access a corporate intranet without the need for a virtualprivate network (VPN).

The disclosed architecture can also include a meta-application or systemthat monitors the overall enterprise system, including the mobiledevices of enterprise users. The meta-application can operate generallyas described in Qureshi '526, and can be implemented as a cloud basedmeta-application. The data collected by the meta-application can includedata collected and reported by enterprise agents running on the mobiledevices. In some embodiments, the meta-application generates rules basedon observed behaviors, including behaviors of mobile device users. Theserules can include gateway rules that are used by a secure mobile gatewayto grant and deny mobile device requests to access enterprise resources.

These and other security features and components are described in detailin the following sections. As will be recognized, many of the disclosedfeatures and components can be used independently of others. Thus,nothing in the following description should be taken to imply thatcertain security features and components must be used in combination.

SYSTEM OVERVIEW AND TERMINOLOGY

In many cases, when a mobile computing device accesses an enterprisecomputer/IT system, sensitive data associated with the enterprise and/orenterprise-related software applications can become stored onto themobile device. Enterprise-related data can comprise any data associatedwith the enterprise, such as, without limitation, product information,sales data, customer lists, business performance data, proprietaryknow-how, inventions, trade secrets, and the like. Since thisinformation can be very sensitive, an enterprise may wish to safeguardsuch information.

Further, enterprises may wish to regulate how users use their mobiledevices. For example, enterprises may want some control over where themobile devices are used, which mobile device features can be used, whichsoftware applications can be installed and/or run on the devices, andthe like. Enterprises also have a need to control and implement remedialactions for users that violate their mobile device usage policies.

When users in the field experience problems with their mobile devices orcould benefit from information, data, software, or coaching on how toperform certain operations using the devices, it can be difficult forthe enterprise's IT support to provide highly effective assistance.Accordingly, there is also a need for improved secure management andtechnical support of mobile devices associated with an enterprise.

Embodiments described in the present application address these and otherconcerns. The present application discloses computer systems and methodsfor automated or semi-automated management of mobile computing devicesthat access an enterprise computer network, such as access tocomputer-implemented resources of the enterprise. As used herein, an“enterprise” may comprise substantially any type of organization,including, without limitation, a business, partnership, corporation, andthe like. A “mobile computing device” can comprise any of a wide varietyof devices, such as, without limitation, a mobile phone, smartphone,personal digital assistant, tablet computer, handheld computing device,and the like. The mobile devices managed by the disclosed system may,for example, include or consist of mobile devices that run the Android™,IOS, or Windows Mobile operating system (or some subset thereof). Aswill be recognized, however, the architecture disclosed herein may beused with other mobile device operating systems, including operatingsystems that may be developed in the future.

Individuals, entities, or groups of users that use mobile computingdevices to access the enterprise computer network are referred to hereinas “users.” Users can comprise members of the enterprise, such asemployees, partners, officers, etc. Alternatively, users can compriseindividuals or entities that are not members of the enterprise, butnevertheless have a need or reason to access the enterprise computernetwork. For example, users can be enterprise customers, suppliers, etc.

An “enterprise resource” may comprise a machine-accessible resourceassociated with the enterprise. Enterprise resources can comprise any ofa wide variety of different types of resources, including resources thatassist or enable users in the performance of the users' roles or dutiesassociated with the enterprise. For example, enterprise resources cancomprise raw data stored on non-transitory computer-readable storage,documents stored on non-transitory computer-readable storage, computerhardware (e.g., physical servers), software applications stored onnon-transitory computer-readable storage, macros for softwareapplications (e.g., word processor macros) stored on non-transitorycomputer-readable storage, electronic mail systems, workspaces, customerrelationship management (CRM) systems, document management systems,enterprise resource planning (ERP) systems, accounting systems,inventory systems, engineering tools, forms, style sheets, and manyother resources. Enterprise resources can be configured to be accessedand used by software applications installed and running on mobilecomputing devices.

FIG. 1A is a schematic illustration of an embodiment of a computersystem 110 associated with an enterprise, as well as one or more users115 and mobile computing devices 120 associated with the enterprise. Inthis example, each mobile device 120 is assigned to one enterprise user115, but alternatives are possible (e.g., multiple users 115 assigned toone device, and/or a single user assigned to multiple devices 120). Themobile devices 120 are preferably configured to communicate with theenterprise system 110 (also referred to herein as an “enterprisenetwork”) over a communication network 125. The communication network125 can comprise a wireless carrier network, the Internet, a wide areanetwork, a WIFI network, and the like. Hence, the network 125 cancomprise, for example, one or more wireless networks, one or more wirednetworks, or a combination of wired and wireless networks. Additionally,an enterprise system 110 can be configured to be accessed by non-mobilecomputing devices, such as desktop computers.

The enterprise system 110 preferably includes an external firewall 122and an internal firewall 124. Each firewall 122, 124 can comprise adevice or set of devices designed to permit or deny networktransmissions based upon certain criteria. The firewalls 122 and 124 cancomprise software stored on non-transitory computer-readable storage,hardware, firmware, or a combination thereof. The firewalls 122 and 124can be configured to perform basic routing functions. Embodiments of theinvention can cooperate with one or both of the firewalls 122 and 124 orother devices of the enterprise system 110 to filter mobile devices'access requests based on a set of gateway rules, in order to protect theenterprise system 110 from unauthorized access while permittinglegitimate communications to pass. As will be described in furtherdetail below, such access rules can be used to regulate access based on,e.g., mobile device properties, user properties, the specific enterpriseresources 130 for which access is requested, or any combination thereof.

The physical or logical subnetwork between the two illustrated firewalls122 and 124 can be referred to as the “demilitarized zone” (DMZ), oralternatively as a “perimeter network.” Typically, the DMZ contains andexposes the enterprise's external services to a larger untrustednetwork, usually the Internet. Ordinarily, the purpose of the DMZ is toadd an additional layer of security to the enterprise's local areanetwork (LAN); an external attacker only has access to equipment in theDMZ, rather than any other part of the enterprise network.

The illustrated enterprise system 110 includes a mobile devicemanagement system 126, a secure mobile gateway 128, and a“meta-application” 150, each of which is described in further detailbelow. The enterprise system 110 also includes enterprise resources 130logically positioned behind the internal firewall 124, illustrated asresources 1 to N. At least some of the enterprise resources 130 can beconfigured to be accessed and/or used by the mobile devices 120, such asby software applications installed and running on the mobile devices.

Referring still to FIG. 1A, the mobile devices 120 can communicate withthe carrier network 125 via connections 142, such as cellular networkconnections and/or WIFI connections that ultimately connect to carriernetworks. A mobile device's enterprise access request can be sent to thesecure mobile gateway 128 via a connection 146, and the gateway 128 cansend the request to an enterprise resource 1802 via an internalconnection 154. Further, the enterprise system 110 can use theconnections 142, 146 to send information back to the mobile device 120,such as data responsive to the device's enterprise access request.

In some embodiments, a software application on a mobile device 120 cancommunicate with an enterprise resource 130 through an applicationtunnel via connections 142, 144, and 152. Application tunnels aredescribed in further detail below. In the illustrated embodiment, themobile device management system 126 acts as a “tunneling mediator”within an application tunnel between the mobile device 120 (andtypically a specific application running on the mobile device) and theenterprise resource 130.

FIGS. 1B and 1C illustrate embodiments that are similar to FIG. 1A,except that the mobile device management system 126 and meta-application150 are respectively located (completely or at least partially) in acloud computing system or environment 156 (“the cloud”). (In a hybrid ofthese two approaches, both the mobile device management system 126 andmeta-application 150 reside in the cloud.) A cloud computing systemtypically includes computing resources configured to implement a serviceover a network, such as the Internet. For example, a cloud computingsystem can include a plurality of distributed computing resources, suchas physical servers or other computing devices. With a cloud computingsystem, computing resources can be located at any suitable location thatis accessible via a network. A cloud computing system can store andprocess data received over a network, while being accessible from aremote location. Typically, a cloud computing system is operated by aservice provider that charges the enterprise, and other users of thecloud based computing system, a usage fee for using the system. Incertain embodiments, both the mobile device management system 126 andthe meta-application 150 are located at least partially in the cloud156. In the embodiment of FIG. 1B, the cloud-based device managementsystem 126 can be configured to provide gateway rules to the securemobile gateway 128 via a connection 158, as described in further detailbelow. Further, a software application on a mobile device 120 cancommunicate with an enterprise resource 130 through an applicationtunnel via connections 142, 160, and 162, with the mobile devicemanagement system 126 acting as a tunneling mediator. In the embodimentof FIG. 1C, the meta-application portion 151 located in the cloud 156can be configured to provide gateway rules to the secure mobile gateway128 via a connection 164, as described in further detail below. Themeta-application 151 (or its rules engine) may alternatively beincorporated into the mobile device management system 126, in which caseit may orchestrate the management of the mobile device management system126.

FIG. 1D is an embodiment similar to FIG. 1A, with the secure mobilegateway 128 implemented in the firewall 122. In the embodiment of FIG.1D, the secure mobile gateway 128 can be implemented in a ThreatManagement Gateway (TMG) server. As illustrated in FIG. 1D, someembodiments of the enterprise system 110 can be implemented without aninternal firewall 124.

FIG. 1E is an embodiment similar to FIG. 1A, with the secure mobilegateway 128 implemented in an enterprise resource 130. In the embodimentof FIG. 1E, the secure mobile gateway 128 can be implemented in anInternet Information Services (IIS) server. Such an IIS can beconfigured as an enterprise resource 130 and/or an internal firewall124.

It will be understood that any of the enterprise systems 110 can beimplemented with any of the principles and advantages described herein,as appropriate. Moreover, it will also be understood that the enterprisesystems illustrated in FIGS. 1A-1E are provided for illustrativepurposes, and other suitable systems can be implemented in accordancewith the principles and advantages described herein.

FIG. 2 is a schematic illustration of an embodiment of the mobile devicemanagement system 126 of FIG. 1A. The mobile device management system126 can comprise a system of one or more computers, computer servers,storage devices, and other components. As explained in greater detailbelow, the mobile device management system 126 can be configured tomanage or co-manage the application of “mobile device rules” 214 to themobile computing devices 120, and/or to act as a “tunneling mediator”between the mobile devices 120 and the enterprise resources 130 duringuse of application tunnels therebetween. The mobile device managementsystem 126 can also be configured to regulate mobile device access tothe enterprise system 110, such as during use of such applicationtunnels. The illustrated components of the system 126 are describedbelow.

FIG. 3A is a schematic illustration of an embodiment of a mobilecomputing device 120. The mobile device 120 can include a number ofordinary or standard components of a mobile device, such as a powersupply 301, a processor 302, a user interface 304, a hard drive memory306, a memory card (e.g., Secure Digital (SD) card) port 307, a randomaccess memory 308, a network interface 310, a subscriber identificationmodule (SIM) card port 312, a camera 314, and/or a GPS chip 316. Theimplementation and use of these components is generally well known andis not discussed herein in significant detail. The power supply 301 caninclude a battery port, battery, and/or a port for receiving electricalpower from an external source (e.g., a standard electrical outlet). Theprocessor 302 can be configured to execute software applications andvarious other executable components. The user interface 304 can includeany of various known components, such as a keypad 324 (such as a set ofphysical buttons or, alternatively, a touchscreen keypad) for receivingtext input, a screen or display 326 (which can be a touchscreen) fordisplaying text, images, and/or video, a speaker 328 or audio out portfor producing audible output, and/or a microphone 330 for receivingaudible input. The hard drive 306 can comprise any of a variety ofdifferent types of nonvolatile and/or non-transitory computer-readablestorage. The memory card port 307 is configured to receive a memory card(e.g., an SD card) on which data can be stored. The random access memory308 can be used to store data used during the running of variousprocesses. The network interface 310 can be used to send and receivedata over a network (e.g., the wireless network 125, which can operatein accordance with a number of standards, such as Wi-Fi, 3G, 4G, etc.).The SIM card port 312 is configured to receive a SIM card, as known inthe art. The camera 314 can be configured to capture images and/orvideo. The GPS chip 316 can be configured to process GPS signals. Themobile device 120 can further include one or more installed softwareapplications 318. The installed software applications 318 can be stored,for example, on the hard drive 306 or in non-volatile solid statestorage. The installed applications can include both enterpriseapplications and personal applications. It will be appreciated that themobile device 120 can include any other computer hardware components inplace of or in addition to those illustrated in FIG. 3, such as anaccelerometer, transceiver, battery charger, USB controller, basebandprocessor, audio codec, etc.

In the illustrated embodiment, the mobile device 120 includes anenterprise agent 320, which is preferably a software application orother executable program installed on the mobile device. The enterpriseagent 320 is preferably separate from the operating system of the mobiledevice 120. In some embodiments, however, the enterprise agent 320 canbe a component of the operating system of the mobile device orpartially/fully embedded into the operating system of the mobile device120. In various embodiments described in greater detail below, theenterprise agent 320 executes the mobile device rules 214 and cooperateswith the enterprise system 110 to regulate the mobile device's access tothe enterprise system 110, including to the enterprise resources 130. Insome embodiments, an enterprise system 110 can prompt an enterpriseagent 320 to connect to the system 110 (e.g., the mobile devicemanagement system 126) by sending a text message (e.g., SMS) to themobile device 120, with a connection command.

The enterprise agent 320 can be installed onto the mobile device 120 asa condition of the mobile device's enrollment with the mobile devicemanagement system 126. The enterprise can employ an automated subsystemfor installing enterprise agents 320 onto the mobile devices 120associated (e.g., enrolled) with the enterprise. For example, a mobiledevice manager 202 can be configured to send the enterprise agents 320to the mobile devices 120 for automated installation or manualinstallation by the users 115. Alternatively, IT personnel can manuallyinstall the enterprise agents 320 onto the mobile devices 120, or endusers can download and install the enterprise agent 320 fromcommercially available application stores. Different types of enterpriseagents 320 can be provided for different mobile device types, platforms,operating systems, etc. The mobile device manager 202 or anothersoftware component of the enterprise system 110 can be configured toselect an appropriate enterprise agent 320 for each given mobile device120, based on such properties of the mobile devices 120 (e.g., mobiledevice properties 208 of FIG. 2).

Enterprise Agent and Other Security Components Installed on MobileDevices

The enterprise agent 320 may implement a variety of security-relatedfeatures, including features that control (or enable the control of)mobile device accesses to enterprise resources 130. For example, theenterprise agent 320 installed on a given mobile device 120 may perform(i.e., instruct or cause the mobile device 120 to perform) some or allof the following tasks: (1) maintain a data connection with theenterprise system 110, which connection can be used both for applicationtunnels and for communications that do not involve application tunnels;(2) provide access to a public or private enterprise app store fromwhich the user can download enterprise applications that have beenapproved by and configured for the particular enterprise; (3) createapplication tunnels for enabling enterprise applications installed onthe mobile device to securely access certain enterprise resources, (4)collect, and transmit to the mobile device management system 126,“inventory” data regarding the properties and configuration of themobile device, such as its manufacturer, model, operating system, screensize, memory size, memory availability, GPS coordinates, and whichpersonal and enterprise mobile applications are installed on the device;(5) implement a log-in or other authentication service that requests andverifies the user's authentication information (e.g., passcode) when,for example, the user launches an enterprise mobile application; (6)decrypt encrypted message attachments received from the secure mobilegateway 128, such as encrypted attachments to email messages receivedfrom other members of the user's enterprise; (7) maintain a secure keystore that is accessible by enterprise applications for obtaining keysfor encrypting and decrypting data; (8) check for blacklisted mobileapplications installed on the mobile device, and report any suchapplications to the mobile device management system; (9) performprecautionary actions, such as deleting decryption keys used fordecrypting message attachments, when certain conditions are met, such aswhen a blacklisted mobile application is detected on the mobile deviceor the device is reported as stolen, (10) kill (terminate execution of)any blacklisted applications or other mobile applications determined tocreate a security risk, (11) provide one or more additional services forkeeping enterprise applications and data on the device separate frompersonal application and data; and (12) wiping the device of allenterprise application and data (in response to a command received fromthe mobile device management system) when, for example, the userdiscontinues employment with the enterprise. As described below, some ofthese functions may alternatively be implemented in a separate mobileapplication or component that is distinct from the enterprise agent 320.

The enterprise agent 320 collects information about the mobile device'sconfiguration using standard operating system APIs and mechanisms,and/or using its own APIs and mechanisms. For example, inimplementations for the Android operating system, the enterprise agentmay query the package manager to obtain a list of the applicationsinstalled on the device. The enterprise agent can similarly query theoperating system for a list of mobile applications that are currentlyrunning, and can monitor broadcast messages to identify new applicationsthat are being installed. The device configuration information collectedby the enterprise agent through this process may be reported to themobile device management system 126, which may use the information togenerate rules that are applied by the secure mobile gateway 128 tocontrol the mobile device's accesses to enterprise resources 130. Theenterprise agent 320 may itself also use the collected deviceconfiguration information to take various precautionary actions, such askilling blacklisted mobile applications as mentioned above.

In one embodiment, the enterprise agent 320 is (or is part of) a mobileapplication that can be downloaded from an application store andinstalled on a mobile device 120. Once the enterprise agent has beeninstalled and launched, the end user supplies configuration information,such as a corporate email address and email password, for enabling theagent to communicate with a particular enterprise system 110. Onceconfigured, the agent 320 provides the user access to a secureapplication store from which the user can download and installenterprise mobile applications that have been approved by, and in somecases specifically configured for, the user's enterprise. Thefunctionality for downloading and installing enterprise mobileapplications may alternatively be embodied within a separate “securelauncher” mobile application that runs in conjunction with theenterprise agent.

FIG. 3B illustrates some of the executable security-related components350 that may be installed or implemented on a mobile device 120 with, oras part of, the enterprise agent 320. As will be recognized, some ofthese components 350 can be installed without others, and theillustrated components can be combined in various ways. One component isa key store 350A that stores one or more encryption keys. In oneembodiment, the key store is implemented and managed by the enterpriseagent 320, which enables the enterprise applications to access the keystore to obtain encryption keys. A given enterprise application may, forexample, use the encryption keys to encrypt files and other data storedto memory 348.

With further reference to FIG. 3B, a secure launcher 350B may also beinstalled on the mobile device 120 for launching enterpriseapplications. The secure launcher may be part of the enterprise agent320, or may be a separate mobile application. The secure launcher 350Bmay implement or enforce various security policies, such as requiringuser entry of a valid passcode when an enterprise application islaunched. One embodiment of a user interface implemented by the securelauncher 350B is shown in FIGS. 1F and 1G and is described below. Asdescribed below, enterprise applications may be modified or written touse the secure launcher rather than the general launcher included in themobile device's operating system. In one embodiment, the secure launcheralso includes functionality for wiping the mobile device 120 of allenterprise applications and data in response to a threshold number ofconsecutive invalid passcode entry attempts, or in response to aremotely issued command from the enterprise's IT department.

As further shown in FIG. 3B, a secure virtual machine 350C may beinstalled on the mobile device 120 in some embodiments to create oraugment a secure execution environment for running some or all of theenterprise applications. This secure virtual machine (VM) supplements,and may run concurrently with, the mobile operating system's default VM.For example, one or more enterprise mobile applications may run withinthe secure VM while all other mobile applications, including allpersonal mobile applications, run on the same device in the operatingsystem's default VM. As described below under the heading “SecureVirtual Machine,” the secure VM 350C implements a variety of policiesand measures (such as security, management, storage, networking, and/orprocess execution policies) that are not implemented (or are implementedunsuitably for enterprise applications) in the mobile operating system'sdefault VM. For example, the secure VM may be capable of establishingapplication tunnels for accessing the enterprise system, and may routerequests from enterprise applications over corresponding applicationtunnels. The secure VM may also prevent an enterprise application fromrunning unless and until the user enters a valid passcode or otherwisesuccessfully authenticates. The secure VM may be installed on a mobiledevice together with a set of code libraries that are used by the secureVM in place of corresponding code libraries of the operating system.

One benefit of using a secure VM 350C is that it reduces or eliminatesthe need for the mobile applications to be specifically written ormodified for use with an enterprise system 110. For example, anenterprise may wish to make a particular commercially-available mobileapplication available to its employees for use in accessing companyresources, but may not have permission to modify the application toimplement the various security features described herein (such asauthentication, secure storage, and secure networking). In such ascenario, the enterprise may configure the mobile application or themobile device to cause this particular application, when executed, torun only within the secure VM.

The secure VM is preferably implemented as a separate mobileapplication, but may alternatively be part of another application orcomponent (such as the enterprise agent 320 or the secure launcher350B). The secure VM may be invoked in various ways; for example, theenterprise agent may request that the secure VM run a particularapplication, or an application may, upon being launched, request orspecify the secure VM as it's execution environment. In someembodiments, the secure launcher 350B and the secure VM 350C are used incombination to create a secure space for running enterpriseapplications, although each can be used independently of the other.Additional details of the secure VM are described below in the sectiontitled Secure Virtual Machine.

As further shown in FIG. 3B, a secure container component 350D may alsobe installed on the mobile device 120, preferably as a separate mobileapplication or as part of the enterprise agent 320. This component 350Dis responsible for creating a secure container on the mobile device forthe enterprise applications to store documents and other information.One embodiment of this feature is described below under the headingSecure Document Containers. In some embodiments, when a selective wipeoperation is performed, some or all of the documents and data stored inthe secure container are deleted from the mobile device or are otherwisemade inaccessible.

FIG. 3B also shows two types of mobile applications 318 that may beinstalled on the mobile device 120: enterprise applications 318A andpersonal applications 318B. As illustrated, an enterprise application318 may include executable security code 360 (code libraries, etc.) forimplementing some or all of the disclosed client-side security functions(application tunnels, passcode verification, encryption of data, etc.)This security code 360 may be added via a special SDK, or may be addedpost-development via the application wrapping process described below inthe section titled Modifying Behaviors of Pre-Existing MobileApplications. As mentioned above, in some cases a given enterpriseapplication may not include any security code 360, but may instead runwithin either a secure VM 350C or a secure browser that imposes a layerof security on the enterprise application.

In addition to the components shown in FIG. 3B, one or more codelibraries may be installed on the mobile device for implementing varioussecurity functions, such as data encryption and formation of applicationtunnels. As one example, a custom SSL library may be installed and usedin place of the operating system's SSL library to create secureapplication tunnels, as described below in the section titledApplication Tunnels.

User Interface for Launching Enterprise Applications

In one embodiment, which is depicted in FIGS. 1F and 1G, the securelauncher 350B displays a persistent display element 170 (FIG. 1F) at theedge of the mobile device's screen. This display element preferablyremains visible across all of the device's home screens and when user isin an application. If the user taps on this display element 170 orswipes it to the left, a rotatable carousel or “wheel” (FIG. 1G) isdisplayed that includes respective icons 174 corresponding to specificenterprise applications or groups (folders) of enterprise applicationsinstalled on the device. (The other icons 175 shown in FIGS. 1G and 1Ftypically correspond to personal mobile applications, and/or folders ofsuch applications, installed on the device.) By rotating the wheel 174via an upward or downward swipe gesture, the user can expose additionalicons 174 corresponding to additional enterprise applications orfolders. Tapping on an application icon 174 causes the associatedenterprise application to be launched, and tapping on a folder icon 174causes the enterprise applications stored in the folder to be displayed.The user can also swipe the wheel 172 to the right to cause it to returnto the retracted position shown in FIG. 1F. In the illustratedembodiment, the enterprise applications can only be launched from thewheel (with the secure launcher), and cannot be launched using thegeneral launcher of the device's operating system.

In some embodiments, when the user launches an enterprise applicationvia the wheel 172, the user is prompted to enter a passcode, and theapplication is not launched unless the correct passcode is entered. Thetask of requesting and verifying the passcode may, for example, beperformed by the enterprise agent 320 (FIG. 3A), by a separate securelauncher 350B (FIG. 3B), by a secure virtual machine 350C (FIG. 3C), orby code 360 that is added to the enterprise application via an SDK or anapplication wrapping process. These and other techniques for providing asecure execution environment for running enterprise mobile applicationsare described further below.

In one embodiment, which is shown in FIG. 1F, the wheel 172 is displayedas a transparent or translucent overlay that enables the user to viewand select the home screen icons 175 falling “behind” the wheel, suchthat the user can launch the personal applications corresponding tothese icons 175. In another embodiment, the wheel is opaque, and thusobstructs the view of any icons 175 falling behind it. In yet anotherembodiment, the home screen icons 175 disappear when the wheel is“pulled out,” or is pulled out beyond a particular point.

The secure launcher's user interface may also include features forenabling the user to, for example, arrange the icons 174 on the wheel172, control the position of the wheel (e.g., which screen edge itextends from), and control the extent to which the wheel is displayed.The selectable element 170 (FIG. 1F) for pulling out and retracting thewheel preferably remains persistent across all of the device's homescreens, such that the enterprise applications can be easily accessedfrom any of these screens.

Overview of Mobile Device Management System

Referring to FIGS. 1A and 2, embodiments of the mobile device managementsystem 126 are configured to create, edit, and provide gateway rules tothe secure mobile gateway 128, as discussed in detail below. The mobiledevice management system 126 can also act as a tunneling mediator forapplication tunnels between the mobile devices 120 and the enterpriseresources 130 or other network resources within or even outside theenterprise system 110. The components of the illustrated mobile devicemanagement system 126 are now described.

The illustrated mobile device management system 126 includes a mobiledevice manager component 202 (FIG. 2), which preferably comprises asoftware application that runs on one or more physical machines. Themobile device manager 202 can be configured to both provision andmaintain enrollments of the mobile devices 120 with the enterprise.Preferably, the mobile device manager 202 is configured to handle orparticipate in the provisioning and decommissioning of the mobiledevices 120 associated with the enterprise.

In the illustrated embodiment of FIG. 2, the mobile device managementsystem 126 includes mobile device information or attributes 204 storedin computer-readable or machine-readable storage. The mobile deviceinformation 204 preferably includes properties or attributes 208 of themobile devices 120 enrolled with the mobile device manager 202, such asdevice type or platform (e.g., platforms for iPhone™, Android™ WindowsMobile™, etc.), device model, operating system version, devicecapabilities and features, identifiers of installed applications, etc.In certain embodiments, the mobile device properties 208 are ones thatare permanent (e.g., device type, platform). In some embodiments, themobile device properties 208 can also be properties subject to regularor periodic change (e.g., software or operating system version, whichmobile applications are installed, etc.). As mentioned above, thevarious properties of a given mobile device may be determined, andreported to the mobile device management system 126, by the enterpriseagent 320 installed on the mobile device 120. Device propertyinformation may also be supplied by system administrators.

The mobile device information 204 can also include user-deviceassignment records 210 that identify which users 115 or user accountsare assigned to the enrolled mobile devices 120, as well as roles 206 ofthe users 115 within the enterprise. A user's role 206 typicallyassociates the user 115 with the enterprise-related duties or activitiesin which the user engages. Roles 206 can have names and, optionally,associated definitions. The roles 206 (and role names) can mimic theenterprise's departments and positional hierarchy. For example, anenterprise can define roles with names such as Upper Management,Officer, Sales, Accounting, Engineering, Word Processing, HumanResources, etc. In this scheme, a salesperson can be given the role“Sales,” an engineer can be given the role “Engineering,” and so forth.Also, roles 206 can be defined as broadly or as narrowly as may suit theneeds of the enterprise. For example, an enterprise can give all of itsengineers the “Engineering” role. Alternatively or additionally, theenterprise may wish to define narrower roles such as “ComputerEngineer,” “Materials Engineer,” “Semiconductor Processing Engineer,”etc, particularly if the enterprise wishes to differentiate the mobiledevice authorizations of its different types of engineering personnel.Further, a user 115 can be assigned to multiple roles 206, dependingupon the user's duties or activities associated with the enterprise. Incertain embodiments, an enterprise may use an RBAC (role-based accesscontrol) system to assist in the regulation of enterprise resources 130,and the user roles 206 can relate to or be the same as the roles definedin the RBAC system.

The enterprise agents 320 of the mobile devices 120 can be configured tosend device-related data to the mobile device management system 126periodically, and/or whenever the mobile devices 120 connect to themobile device management system 126 (e.g., upon the formation of anapplication tunnel). For instance, the enterprise agents 320 can senddata concerning software applications installed on the mobile devices120, software upgrades, system information, etc., as described above. Inone embodiment, the agent 320 sends such device-properties informationover the same connection that is used for application tunnels, butwithout the use of an application tunnel.

With continued reference to FIGS. 1A and 2, the mobile device managementsystem 126 can include one or more enterprise access policies 218 storedin computer storage. The access policies 218 preferably defineconditions under which mobile device access to enterprise resources 130will be granted or denied. In some embodiments, a single access policy218 can apply to mobile devices 120 of different makes, models,operating systems, or any combination thereof. Policies 218 can dependon user roles 206, mobile device properties 208, the specific enterpriseresources 130 requested to be accessed by the mobile devices 120, or anycombination thereof. The mobile device management system 126 can use theaccess policies 218 to process mobile device access requests receiveddirectly by the mobile device management system 126, including requestsreceived via secure application tunnels. Additionally, as describedbelow, the secure mobile gateway 128 can leverage the access policies218 to grant or deny mobile device access requests received directly bythe secure mobile gateway 128.

As shown in FIG. 2, the mobile device management system 126 can includea script-editing tool 220 for editing scripts that are executable on themobile devices 120, as described below. The mobile device managementsystem 126 can also include a tool 221 for editing mobile device rules214 and remedial actions 216, as described below.

The mobile device management system 126 can include a gateway rulegenerator 222 for creating, editing, and/or sending gateway rules to thesecure mobile gateway 128, as described below. These tools 220, 221 may,for example, be used by IT administrators to implement varioussecurity-related features and policies, as described below.

The mobile device management system 126 can include a tunneling mediatormodule 224 for mediating an application tunnel between a softwareapplication running on a mobile device 120 and another resource, such asan enterprise resource 130, as described below. The tunneling mediatormodule 224 can also be configured to grant or deny access requests basedon the access policies 218 and information 204.

The mobile device management system 126 can also include a remedy agent226 for executing remedial actions provided by the meta-application 150and/or 151, as described below. The remedy agent 226 may execute varioustypes of remedial actions based on conditions specified by rules, forexample, as described generally in Qureshi '526.

With further reference to FIG. 2, the above-described functionalcomponents 202, 224, 220, 221, 222, 226 of the mobile device managementsystem 126 may be implemented in executable program code modules thatrun on appropriate computer hardware, such as on one or more physicalservers or other computing devices. These components may, for example,run on a single physical server or other machine, or may be distributedacross multiple machines on a network. In some embodiments, some or allof these components may alternatively be implemented in firmware or inapplication-specific hardware (ASICs, FPGAs, etc.). The various data ordata storage components 210, 212, 218, 228 of the mobile devicemanagement system 126 may be implemented in any appropriate type ortypes of computer storage (e.g., hard disk drives, solid state memoryarrays, optical storage devices, etc.) using databases, flat files,and/or other types of data storage arrangements.

For example, an enterprise may wish to use multiple mobile devicemanagement systems 126. An enterprise with multiple offices may useseparate systems 126 for the separate offices. This may be useful if theenterprise has offices located in different geographical areas. Forexample, a large enterprise with offices in England, Japan, and the U.S.may use three different mobile device management systems 126 locatedwithin or near to those office locations. In such embodiments, eachmobile device management system 126 can be responsible for managingmobile devices 120 in a different geographical area, wherein such mobiledevice management can comprise sending rule packages to the mobiledevices 120 (as described below) and/or regulating access to enterpriseresources 130. In such embodiments, the secure mobile gateway 128 ispreferably configured to communicate with each of the mobile devicemanagement systems 126 for the purposes described herein. In someimplementations, a console is provided that can be used to view thevarious systems 126 associated with a given enterprise.

Use of Secure Mobile Gateway to Regulate Mobile Device Access toEnterprise System

With reference to FIG. 1A, an enterprise may wish to regulate how itsmobile device users 115 access the enterprise resources 130 via themobile devices 120. Any given enterprise user 115 typically only has aneed to access a subset of the enterprise resources 130, ordinarilybased upon the user's duties or role within the enterprise. Therefore,since there is no need to provide the user 115 with mobile device accessto many of the resources 130, doing so can expose the enterprise tounnecessary security risks. For example, an enterprise may wish toprevent many of the users 115 from using their mobile devices 120 toaccess highly sensitive, confidential information of the enterprise,particularly if the users do not need to access such information toperform their duties toward or associated with the enterprise. This canprevent, for example, a disgruntled employee from harming the enterpriseby accessing and perhaps disseminating sensitive enterprise-relatedinformation. Also, applications and files installed on the mobiledevices 120 can have malware or viruses that can get transferred to theenterprise's computer system 110 or that can upload or steal sensitiveinformation. Limiting mobile device access to specific enterpriseresources 130 can prevent the malware and viruses from infecting otherenterprise resources 130. As discussed below, the mobile devicemanagement system 126 and secure mobile gateway 128 preferably addressthese issues by enabling an enterprise to restrict mobile device accessonly to authorized enterprise resources 130, in a way that iscustomizable based on user properties, mobile device properties, and/orthe enterprise resources 130 for which mobile device access isrequested.

With the proliferation of mobile devices and the desire to use existingapplications for the mobile devices, a need exists to take action at anetwork level to provide controlled access to enterprise resources.Moreover, as enterprises implement BYOD (bring your own device) or BYOT(bring your own technology) policies, a need exists for flexibilitywhile addressing the increasingly complex task of protecting enterpriseresources and sensitive enterprise data. Such flexibility can includeallowing a number of different mobile devices and/or applicationsrunning on such mobile devices to access enterprise resources whileproviding a desired level of control over such access to enterpriseresources. As one example, it can be desirable to allow mobile devices120 having a variety of different email clients to access enterpriseresources and to enable the enterprise to implement certain protections,such as denying some access requests in certain circumstancesconfigurable by the enterprise and/or encrypting at least a portion ofdata provided to email clients of a mobile device based on enterprisepolicies, when allowing the various email clients to access enterprisedata. Allowing a variety of existing mobile applications to accessenterprise resources can eliminate the need to develop proprietaryapplications and/or modify existing applications in order to accessenterprise resources. At the same time, implementing a desired level ofcontrol over access to enterprise data can allow an enterprise to strikea balance between protecting enterprise data and enabling users toaccess the enterprise data on a mobile device 120.

A secure mobile gateway 128 can assist in flexibly protecting sensitiveenterprise data accessed by mobile devices 120. The secure mobilegateway 128 can monitor and log traffic between one or more enterpriseresources 130 and a mobile device 120. The secure mobile gateway 128 canapply rules to implement enterprise policies applied to a selectedmobile device 120. Based on a particular protocol, the secure mobilegateway 128 can take actions to implement enterprise policies as appliedto the selected mobile device 120 that is requesting access to anenterprise resource 130. Thus, in the context of a mobile device 120communicating with an enterprise computing system 110, the secure mobilegateway 128 can take actions associated with a protocol and certainconditions to provide access to enterprise resources 130. It will beunderstood that the secure mobile gateway 128 can control trafficassociated with any suitable protocol, for example, the protocolsdescribed herein. Any combination of the policies, rules, and remedialaction described herein can be implemented by the secure mobile gateway128. Moreover, the secure mobile gateway 128 can implement a variety ofother policies, rules, remediation actions, or any combination thereofin accordance with the principles and advantages described herein.

The secure mobile gateway 128 can include a gateway filter thatfunctions as a protocol analyzer and a rules remediator. The gatewayfilter can detect a defined protocol, such as ActiveSync or HTTP(s),associated with enterprise traffic. The gateway filter can implementgateway rules that take certain actions for a particular protocol andone or more conditions. For example, when a request from a mobile device120 to access an enterprise resource 130 is an ActiveSync request, thegateway filter can implement rules specific to the ActiveSync protocol.In this example, the conditions can be that the mobile device 120 isassociated with an executive of the enterprise that is likely to receivesensitive enterprise information. The gateway filter can then take theaction of encrypting attachment data before sending the data to themobile device of the executive. In another example, the gateway filtercan deny a request by a mobile device 120 to access an enterpriseresource 130 due to the mobile device 120 having a certain applicationinstalled thereon.

FIG. 4 schematically illustrates the architecture and operation of anembodiment of the secure mobile gateway 128 of FIG. 1A. The securemobile gateway 128 can be implemented at or control any junction in acomputing system through which protocol traffic flows. For instance, thesecure mobile gateway 128 can be implemented in a firewall, anenterprise server (such as an application server), or between a firewalland an enterprise server. As another example, a virtual secure mobilegateway 128 can communicate with an enterprise server (e.g., via aPowerShell interface) to implement enterprise access policies forrequests from mobile devices. The secure mobile gateway 128 can beimplemented as a plugin to a firewall server 400 of the enterprisenetwork, such as the firewall 122 of FIG. 1A. For instance, most of thefirewall products sold by Microsoft Corporation™ run InternetInformation Services (IIS), which is a service that processes web serverrequests. IIS has plugin architecture that allows embodiments of thegateway 128 to be plugged into the firewall products. One particular APIof IIS is the Internet Server Application Programming Interface (ISAPI).Embodiments of the secure mobile gateway 128 can be integrated withvarious firewall technologies, such as Microsoft Forefront ThreatManagement Gateway (TMG), Microsoft Forefront Unified Access Gateway(UAG), Microsoft Forefront Identity Manager 2010 (FIM 2010), MicrosoftISA 2006, Barracuda firewalls, Sonic firewalls, Cisco firewalls, andothers. When the secure mobile gateway 128 is integrated with certainfirewalls, such as TMG, the secure mobile gateway 128 can be implementedby one or more enterprise resources 130 (FIG. 1E) or at least one deviceconfigured to control the one or more enterprise resources 130. Incertain embodiments, such as for enterprises that do not use a perimeterfirewall 122 (FIG. 1A), the secure mobile gateway 128 can be integratedwith interior servers of the enterprise, such as Client Access Servers(“CAS servers”) that support ActiveSync. In some other embodiments, thesecure mobile gateway 128 can be implemented by at least one computingdevice configured to communicate with a firewall server. In this way,the secure mobile gateway 128 can control some or all of the trafficthrough a firewall without the firewall server being modified. This canenable an enterprise to implement the secure mobile gateway 128 incombination with an unmodified third party firewall.

Although the secure mobile gateways 128 of FIGS. 1A-1E are shown ascontrolling traffic related to a single enterprise system 110 forillustrative purposes, it will be understood that one secure mobilegateway 128 can be implemented to handle requests associated with two ormore different enterprise systems 110, including systems 110 of distinctcompanies or other enterprises. When handling requests associated with aplurality of different enterprise computing systems 110, the securemobile gateway 128 can implement different rules for each of thedifferent enterprise computing systems 110. For example, one securemobile gateway 128 can be implemented for several different enterpriseemail systems each having different email policies. In some of theseembodiments, the secure mobile gateway 128 can communicate withdifferent mobile device management systems 126 of enterprise computingsystems 110 of different companies.

The illustrated secure mobile gateway 128 in FIG. 4 includes a gatewayfilter 401 that can be configured to receive and process enterpriseaccess requests 402 from mobile devices 120, each request beingformatted according to a protocol supported by the secure mobile gateway128. The gateway filter 401 can be embedded into a firewall server 400.In some other implementations, the gateway filter 401 can be implementedto control traffic through a separate firewall sever. The gateway filter401 can be configured to allow the access request 402 to reach anenterprise resource 130, or deny the request 402. The gateway 128 can beconfigured to support one or more different request protocols, such asActiveSync requests, SharePoint requests, EWS requests, SAP requests,and/or requests associated with various other web server applications.In one embodiment, blocks 401, 404, 406, 410 and 412 in FIG. 4 representcomponents that can be added (e.g., as part of a firewall plug-in) to acommercially-available firewall or firewall server 400 to implement thesecure mobile gateway 128.

Take for example the case of a secure mobile gateway 128 configured toprocess ActiveSync requests to synchronize enterprise system data withmobile devices 120. ActiveSync is a well-known mobile datasynchronization technology and protocol developed by Microsoft™. Oneimplementation of ActiveSync, commonly known as Exchange ActiveSync (orEAS), provides push synchronization of contacts, calendars, tasks, andemail between ActiveSync-enabled servers and mobile devices. The gatewayfilter 401 can be configured to intercept every incoming request 402,determine if it is an ActiveSync request, and consult a database ofgateway rules 404 to determine if the gateway filter 401 should allow ordeny the request. The request can be, for example, an HTTP request. Thedatabase of gateway rules 404 can be a local database stored on theenterprise firewall server 400. In the case of an allowed ActiveSyncrequest 402, the gateway filter 401 can send the request to theenterprise resource 130, which can comprise a Microsoft Exchange server.

The gateway filter 401 can detect whether the request 402 is anActiveSync request by inspecting the request's header and possibly bodyto detect indicia of the ActiveSync protocol. Each ActiveSync commandtypically comprises a web Uniform Resource Locator (URL) issued by themobile device 120. After the URL, the request typically includes queryparameters and an ActiveSync command. To illustrate, consider thefollowing ActiveSync request:

http://myDomain.com/Microsoft-Server-ActiveSync?User=XXX&DeviceId=XXX&DeviceType= XXX&Cmd=PingThe secure mobile gateway 128 can obtain the DeviceId and DeviceTypefrom the URL, the UserAgent parameter from the HTTP header, theauthenticated User parameter from the HTTP session, and the Cmdparameter. The secure mobile gateway 128 can be configured to filter therequests 402 based on one or more of these properties. Note that theActiveSync protocol also allows for the URL parameters to be encoded inan alternate form using a base 64 encoded representation. In the aboveexample, the gateway 128 can determine that the request is an ActiveSyncrequest from the string “Microsoft-Server-ActiveSync.”

A gateway rule 404 can include one or more values of properties of amobile device request 402 formatted according to a protocol supported bythe secure mobile gateway 128. Such properties can comprise URLparameters, header values, commands, etc. The gateway filter 401 can beconfigured to filter the requests 402 based at least partly on theseproperties. In the case of ActiveSync, the request properties caninclude DeviceID and DeviceType (taken from the request URL), the Userand UserAgent parameters (taken from the HTTP headers), and one or moreActiveSync command parameters (ActiveSync defines numerous differentcommands, such as sync mailbox, send mail, get attachment, etc.). Agateway rule 404 can specify conditions under which a request is to begranted or denied by the gateway filter 401. Such a condition caninvolve a logical expression and/or combination of one or more values ofthe request properties of a protocol supported by the secure mobilegateway 128. For example, a gateway rule 404 can cause the gatewayfilter 401 to block all ActiveSync requests having any one of aparticular group of DeviceID values, and which issue the get attachmentcommand (for downloading an email attachment). As this exampleillustrates, a gateway rule 404 can identify one or more mobile devices120 and/or users 115. As this example also illustrates, a gateway rule404 can allow or deny access based on what a mobile device 120 isattempting to do or achieve by issuing an access request 402 to theenterprise system 110. Through the secure mobile gateway 128, anoperator of the secure mobile gateway 128 can customize gateway rules404 for a particular enterprise computing system 110.

In some embodiments, the secure mobile gateway 128 can be configured toinspect the body or “payload” of a request 402 to access an enterpriseresource 130, in order to detect additional information that may beuseful in evaluating whether to grant or deny the request. The payloadmay provide information about the specific data being requested, how themobile device application will use the requested data, and so on. Accesspolicies (e.g., policies 218 of the device management system 126) can becreated to regulate or restrict access based on such information. Forexample, the secure mobile gateway 128 may inspect the payloads ofmessages that are formatted according to selected protocols such asActiveSync, SharePoint, SAP, and/or those based on HTTP. The securemobile gateway may also modify protocol metadata in these messages toimplement various security-related features. For instance, as describedbelow under the heading “protecting attachment data,” the secure mobilegateway may be configured to inspect the payloads of ActiveSync or otherrequests 402 to determine whether they are associated with messages thatinclude attachments (such as email attachments); the secure mobilegateway 128 may also encrypt some or all of the identified attachmentsto prevent them from being stored in an unencrypted format on theassociated mobile devices 120.

The gateway rules 404 can be based on data provided by the mobile devicemanagement system 126 and/or data provided by an operator of the securemobile gateway 128. The mobile device management system 126 can converthigh level rules into relatively simple (lower level) rules and providethe relatively simple rules to the secure mobile gateway 128 forapplication to monitored traffic. The secure mobile gateway can alsoimplement rules provided by or based on inputs from an inference engineof a meta-application 150 and/or a meta-application portion 151 in thecloud 156 (such as the inference engine 824 of FIG. 8). The rules may,in some embodiments, be generated using the methods and components(including symptom logic) described in Qureshi '526.

The gateway rules 404 can take many different forms and can be writtenin a variety of programming languages, such as XML. In one embodiment, agateway rule 404 includes a list of “groups” plus an indication of adefault “action” (e.g., grant or denial of the access request or whetherto encrypt attachment data). In this context, a group is a collection of“group members” plus a corresponding action for the group. A groupmember can be a set of values of one, some, or all of the properties ofa mobile device request 402. Each group member can match an incomingmobile device access request 402 by any value of a property of a requestprotocol supported by the secure mobile gateway 128. The gateway filter401 can match an inbound request 402 with a group member by matching allof the property values of the group member to the corresponding propertyvalues of the request 402. If a group member does not include any valuesfor one or more possible request properties, the gateway filter 401 candetermine that it does not matter what are request's values for thoseparticular properties. In other words, a group member can effectivelyspecify “any” or “don't care” for one or more request properties. Hence,different group members can correspond to the same mobile device 120 oruser 115. For example, for a secure mobile gateway 128 that supportsActiveSync, the group members can match inbound HTTP requests 402 by anycombination of DeviceID, User, UserAgent, and DeviceType, as wellActiveSync Cmd values.

Here is one example of a gateway rule 404:

<Policy id=“Static + ZDM Rules : Block Mode” default-action=“Deny”missing-param-action=“Allow”>    <GroupRef id=“StaticAllow”action=“Allow” />    <GroupRef id=“StaticDeny” action=“Deny” />   <GroupRef id=“ZdmDeny” action=“Deny” />    <GroupRef id=“ZdmAllow”action=“Allow” />This gateway rule specifies a default action as a denial of an inboundaccess request received by the secure mobile gateway 128 from a mobiledevice 120. This gateway rule also specifies a “StaticAllow” group whoseaction is “Allow,” a “StaticDeny” group whose action is “Deny,” a“ZdmDeny” group whose action is “Deny,” and a “ZdmAllow” group whoseaction is “Allow.” Together a group and an action can be a subrule. TheStaticAllow and StaticDeny groups and their associated action areexamples of subrules that are local to the secure mobile gateway 128.Such subrules can be modified by an operator of the secure mobilegateway independent of the mobile device management system 126. TheZdmDeny and ZdmAllow groups and their associated actions are examples ofsubrules received from the mobile device management system 126. Thepriorities of the rules can be set in any suitable order. In the exampleabove, the StaticAllow and StaticDeny groups and their associatedactions are prioritized over the ZdmDeny and ZdmAllow groups and theirassociated actions. In this way, an operator of the secure mobilegateway 128 can override subrules provided by the mobile devicemanagement system 126.

A number of other sub-rules from various sources can be implemented withor in place of the above example subrules provided above. A gateway rule404 can alternatively or additionally define a number of other actionsfor the secure mobile gateway 128 to take for various groups, such asencrypting attachments for certain groups, modifying a body of a message(such as an email) for certain groups, blocking a mobile device 120 fromcertain groups from receiving messages in certain locations, etc.

To enforce the example gateway rule 404 provided above, the securemobile gateway 128 can access all of the group members of these fourgroups. Here is an example of a “group list” that can be provided to thesecure mobile gateway 128 (e.g., by a provider 408 as described below):

<GroupList>    <Group id=“StaticAllow”>       <ExternalMemberListpath=“allow.xml” />    </Group>    <Group id=“StaticDeny”>      <ExternalMemberList path=“deny.xml” />    </Group>    <Groupid=“ZdmAllow”>       <ManagedMemberList path=“zdm.xml”      groupId=“allow” />    </Group>    <Group id=“ZdmDeny”>      <ManagedMemberList path=“zdm.xml” groupId=“deny” />    </Group></GroupList>This group list defines locations of files containing lists of groupmembers, where each group member is identifiable by one or more valuesof properties of an access request 402 of a protocol supported by thegateway 128. For the ActiveSync protocol, each group member can includevalues of DeviceID, User, UserAgent, DeviceType, and Cmd parameters.

When the secure mobile gateway 128 receives an inbound mobile devicerequest 402, the gateway filter 401 can read the values of properties ofthe request 402 and match them against the corresponding property valuesof group members of the group list. If there is a match, the gatewayfilter 401 can enforce the action associated with the group. If there isno match, the gateway 128 performs the same analysis for the next grouplisted in the gateway rule 404. If there are no matches with any of thegroups of the gateway rule 404, the gateway 128 enforces the defaultaction. To the extent that there may be conflicts between the groups ofthe gateway rule 404, the secure mobile gateway 128 can be configured togive priority to groups that appear earlier in the rule.

Referring still to the above example of a gateway rule 404, after thegateway filter 401 reads the values of the request properties, thegateway filter 401 reads the property values of the group members of theStaticAllow group and determines if any of them matches any propertyvalues of the request 402. For example, for a gateway 128 supportingActiveSync, the DeviceID of the request 402 could match the DeviceID ofone of the group members. If there is such a match, the gateway filter401 enforces the action associated with the StaticAllow group, which isto allow the request 402 to pass through the firewall. If there is nomatch with any property values of any group member of the StaticAllowgroup, then the gateway filter 401 reads the property values of thegroup members of the StaticDeny group and determines if any of themmatches any property value of the request 402. If there is a match, thenthe gateway filter 401 enforces the action associated with theStaticDeny group, which is to deny the request 402. If there is no matchwith any property values of any group member of the StaticDeny group,then the gateway filter 401 reads the property values of the groupmembers of the ZdmDeny group and determines if any of them matches anyproperty value of the request 402. If there is a match, then the gatewayfilter 401 enforces the action associated with the ZdmDeny group, whichis to deny the request 402. If there is no match with any propertyvalues of any group member of the ZdmDeny group, then the gateway filter401 reads the property values of the group members of the ZdmAllow groupand determines if any of them matches any property value of the request402. If there is a match, then the gateway filter 401 enforces theaction associated with the ZdmAllow group, which is to allow the request402. If there is no match with any property values of any group memberof the ZdmAllow group, then the gateway filter 401 enforces the defaultaction, which is to deny the request 402.

The secure mobile gateway 128 can include a gateway configurationservice 406 that allows a user (e.g., administrators, IT personnel,etc.) to view, edit, and/or create gateway rules 404, and then save themin the local database. The configuration service 406 can be configuredto allow an administrator to set “static” gateway rules 404. A staticgateway rule can identify a mobile device 120 or groups of devices 120that are always to be granted access or denied access. For example, theadministrator can input a rule 404 that specifies that the mobile device120 (e.g., identified by ActiveSync DeviceId) used by the CEO of theenterprise is always granted access to the enterprise network 110. Asanother example, the administrator can input a gateway rule 404 thatdenies access to devices 120 that are known to have malware orincompatibilities with the enterprise network 110. The configurationservice 406 can also be configured to allow the user to adjust variousother settings and features of the gateway 128, including any of thosedescribed herein.

The gateway configuration service 406 can allow for gateway rules 404 tobe statically defined. Further, the secure mobile gateway 128 can beconfigured to receive gateway rules 404 from one or more external“providers” 408. A provider 408 can be any entity authorized by thegateway 128 to provide gateway rules 404 for regulating access to theenterprise network 110. The gateway 128 can have an open architecturethat permits IT personnel of the enterprise to add, remove, andconfigure the providers 408. Preferably, the gateway 128 supports anynumber of providers 408. The mobile device management system 126 can beone of the providers 408. Another provider 408 can be themeta-application 150 that manages some or all of the enterprise network110, such as the “backend” subnetwork behind the firewall 124 (FIG. 1A).Exemplary meta-application embodiments are described in Qureshi '536,and an at least partially cloud-based meta-application (which can be aprovider 408) is described below with reference to FIG. 8.

Each provider 408 can be configured to create and send one or moregateway rules 404 to the gateway 128. The providers 408 can beconfigured to query their own databases of information to create therules 404. Compared to the gateway 128, a provider 408 can havesignificantly more data on which to grant or deny mobile device accessrequests 402, such as information about the users 115 and/or mobiledevices 120. For instance, the illustrated mobile device managementsystem 126 (FIG. 2) can include a gateway rule generator 222 configuredto create and edit gateway rules 404 based on the enterprise accesspolicies 218 and the mobile device information 204 (including the mobiledevice properties 208, user-device assignment records 210, and userroles 206), and then send the rules 404 to the gateway configurationservice 406 of the gateway 128. The access policies 218 can comprisehigh level rules specifying whether mobile devices 120 can access theenterprise network or specific resources 130 thereof. The gateway rulegenerator 222 can be configured to read an access policy 218 and thenquery the mobile device information 204 to find specific devices 120 orusers 115 that match the criteria of the access policy 218. From thedetected devices and users, the gateway rule generator 222 can generatedevice- or user-specific gateway rules 404 that enforce the policy 218.The mobile device management system 126 can be configured to send listsof users 115 or devices 120 (e.g., in the form of “group members,” asdiscussed above) for which enterprise access is to be granted or denied,and send those lists to the gateway 128. The gateway 128 can beconfigured to use the lists to enforce the gateway rules 404.

For example, if an access policy 218 requires that all Android™ mobiledevices 120 having a Facebook™ application installed thereon are to bedenied access to the enterprise network 110, the gateway rule generator222 can query the mobile device information 204 to obtain a list of suchdevices 120. The gateway rule generator 222 can create one or moregateway rules 404 that instruct the gateway filter 401 to deny access tothe listed devices 120, and then send the created rules to the gatewayconfiguration service 406. In the case of a gateway 128 that supportsthe ActiveSync protocol, the gateway rule generator 222 can, forexample, generate a list of ActiveSync DeviceID's of Android™ mobiledevices 120 having a Facebook™ application installed thereon, and thencreate one or more gateway rules 404 instructing denial of access forsuch devices.

As the above example illustrates, an access policy 218 can comprise anylogical combination of conditions that can be transformed into a gatewayrule 404. The policy 218 in the above example represents a conjunction(AND operator) of two conditions: (1) that the mobile device is anAndroid™ device, and (2) that the device has a Facebook™ applicationinstalled thereon. It will be understood that a logical combination ofconditions can include OR operators, XOR operators, NOR operators, NANDoperators, THEN operators, mathematical operators (including “less than”and “greater than”), and any other suitable operators.

In addition to generating gateway rules 404 based at least partly on themobile device information 204, the gateway rule generator 222 can beconfigured to generate the rules based at least partly on a locallystored database of information received from the meta-application 150,such as a model of the enterprise network 110 and mobile devices 120, ordetected “features,” “problems,” and “root causes” (see below discussionof meta-application). In an embodiment in which the meta-application 150manages Microsoft Exchange™, the information received from themeta-application 150 can include ActiveSync partnership data.

As noted above, the meta-application 150 (FIGS. 1A-C) can be a directprovider 408 of gateway rules 404 to the secure mobile gateway 128. Themeta-application 150 can generate gateway rules 404 based on variousdata associated with the enterprise network 110, users 115, mobiledevices 120, or any combination thereof. The meta-application 150 canhave access to various information on which gateway rules 404 can bebased. For example, in support of its management tasks, themeta-application 150 can be configured to conduct “discovery” of theenterprise network 110 and mobile devices 120 to create and maintain aqueriable model thereof. Additionally, the meta-application 150 can beconfigured to predict or detect “features,” “problems,” and/or “rootcauses,” as these terms are used in Qureshi '536. New gateway rules 404can be created based on the model, the detected features, problems, androot causes, and other information detected or computed by themeta-application 150. The management and gateway control capabilities ofembodiments of the meta-application 150 are described more fully below.

The illustrated gateway configuration service 406 is configured toreceive gateway rules 404 from the providers 408, and save them in thelocal storage of rules 404. The gateway configuration service 406 can beimplemented as a web service and can have a list of all of the providers408 associated with the gateway 128. The gateway configuration service406 can be configured to periodically (e.g., every 24 hours, hour, orfew minutes, etc.) query the providers 408 for any new gateway rules 404that are available. In this sense, the configuration service 406 acts asa collector of gateway rules 404 for the gateway 128.

Protecting Attachment Data

Mobile devices are pervasively used to check emails, including emailsassociated with an enterprise email account. Some emails includeattachments containing sensitive data. These attachments are oftenstored on a mobile device when a user checks email using the mobiledevice. The attachment data stored on the mobile device can becompromised in a number of ways. When the attachment data iscompromised, sensitive data associated with the enterprise can beexposed. Accordingly, a need exists to protect attachment dataassociated with an enterprise that is stored on a mobile device. Thisneed may vary depending upon the individual's position or role in anassociated organization; for example, the need to protect theattachments to messages received by a corporation's executives may begreater than the need to protect the attachments received by thecorporation's IT staff. In addition, if the company's enterprisesupports the use of other messaging protocols (SMS, MMS, instantmessaging, AS, EWS, OWA, proprietary messaging protocols, etc.) to senddocuments, this need may extend to such protocols.

Aspects of certain embodiments relate to protecting enterpriseattachments stored on a mobile device, such as enterprise emailattachments, from being compromised. The attachments may include, forexample, Word documents, Excel documents, PowerPoint presentations, textfiles, and documents and files created with other application programs.According to the principles and advantages described herein, attachmentdata can be protected on mobile devices with non-proprietary emailapplications, such as an email application that comes pre-installed onor is later installed on an iPhone or an Android device. As such,features related to protecting attachment data can be implemented withany suitable email client. Enterprise attachments can be protected priorto being stored on a mobile device such that the protected attachmentdata remains safe even when data stored on the mobile device iscompromised. The attachment data can be securely stored in the generalfile system of a mobile device. Attachment data can be identified andstripped from an email message. The attachment data can be encrypted andthen sent to the mobile device as encrypted attachment data. A securemobile gateway can be configured to encrypt attachment data and providethe encrypted attachment data to the mobile device. According to someembodiments, an encrypted attachment key can also be sent with theencrypted attachment data. Secure, policy-based access to the protectedattachment data can be provided. An enterprise agent can decrypt theencrypted attachment data. For example, the enterprise agent can decryptthe encrypted attachment key and then use the attachment key to decryptthe encrypted attachment data. When the mobile device is compromised,the enterprise agent can be configured such that the encryptedattachment data remains encrypted. For example, the enterprise agent candestroy and/or invalidate the attachment key. Without the device key todecrypt the encrypted attachment key, the encrypted attachment data canremain encrypted. When the encrypted attachment data is stored onremovable memory, such as a secure digital (SD) card, the attachmentdata can remain secure when the removable memory is removed from themobile device since the attachment data is encrypted.

In one embodiment, enterprise users access their enterprise emailaccounts from their mobile devices using the enterprise agents installedon their mobile devices. The enterprise agent can operate transparentlyto an email client and an enterprise email server. The enterprise agentmay require an end user to log-in before accessing the user's emailaccount and/or before an opening encrypted attachment. The enterpriseagent can register with a platform of the mobile to device. When theuser opens an encrypted attachment, the enterprise agent can be invoked.An encrypted attachment can be identified by a particular file suffix.After being invoked, the enterprise agent can decrypt the attachmenttransparently to the user.

Although the system is described herein primarily in the context ofemail attachments for illustrative purposes, it will be understood thatthe principles and advantages described herein may be applied to anyother suitable communication protocol that can be used to send anattachment from an enterprise resource to a mobile device. For example,any combination of features of protecting email attachments can beapplied to protecting an attachment to an instant message, text message(for example, an SMS), or the like. It will be understood that, incertain embodiments, the policy based encryption of attachment datadescribed herein can be implemented in combination with other encryptionapplied to the attachment data. Moreover, although attachment data isdescribed herein as being encrypted for illustrative purposes, it willbe understood that the principles and advantages described herein may beapplied to any other suitable way of protecting attachment data on amobile device, such as scrambling and the like. Furthermore, theprinciples and advantages described herein with reference to attachmentdata can be applied to protecting some or all of a message, such as anemail message.

With reference to FIGS. 1A-1C, attachment data can be protected in anyof the enterprise computing systems and mobile devices described herein.Attachment data can be protected in any system with a mobile device 120in communication with a secure mobile gateway 128, which is incommunication with an enterprise resource 130, such as an enterpriseemail server. Typically, a mobile device 120 communicates with thesecure mobile gateway 128 via an external firewall 122 (FIG. 1A-C). Incertain embodiments, the secure mobile gateway 128 can be implemented byan enterprise resource 130. In one embodiment, as discussed above, thesecure mobile gateway 128 can be deployed between an external firewall122 and an internal firewall 124 of the enterprise system 110. Themobile device 120 and/or the secure mobile gateway 128 can be incommunication with a mobile device management system 126. The mobiledevice management system 126 can be configured to implementfunctionalities related to encryption keys for encrypting attachmentdata, for example, as will be described in more detail below. Accordingto certain embodiments, the secure mobile gateway 128 and/or agents ofthe mobile device 120 can be configured to decrypt attachments.

The secure mobile gateway 128 can be configured to detect attachments inincoming and/or outgoing email messages. In some embodiments, the securemobile gateway 128 can inspect and/or modify a data payload beingtransmitted to and/or from a mobile device 120, such as an ActiveSyncdata payload. The incoming and/or outgoing data payload can be in WBXML,a binary version of XML optimized for low bandwidth environments. Thesecure mobile gateway 128 can include a parser and generator thatoperate on the data payload. For example, the parser and generator canprocess WBXML. In this example, the parser and generator can processdata in accordance with the ActiveSync WBXML schema. The secure mobilegateway 128 can programmatically identify which character encodingschemes are being used. WBXML messages may include MIME payloads. Thesecure mobile gateway 128 can include a MIME parser and generatorconfigured to construct and deconstruct this data. With a parser andgenerator, the secure mobile gateway 128 can identify an attachment sothat the attachment can be separated from an email and secured.

According to one embodiment, to intercept and/or modify incoming and/oroutgoing data payloads, the secure mobile gateway 128 can register withan Internet Server Application Programming Interface (ISAPI) or otherserver to receive notifications. The received notifications cancorrespond to various processing stages. The secure mobile gateway 128can maintain a context state to track the various processing stages of arequest. The secure mobile gateway 128 can chunk and de-chunk requestand response data.

The secure mobile gateway 128 can modify, or otherwise mark, anattachment and/or a reference to an attachment. For instance, the securemobile gateway 128 can append a particular suffix, such as “.zendata” tothe names of encrypted attachments to signify that they should bepreprocessed by the enterprise agent 320. As another example, the securemobile gateway 128 can append a particular suffix, such as “.zendata” tothe names of a reference to an attachment to signify that the attachmentshould later be encrypted prior to being delivered to a mobile device120. The secure mobile gateway 128 can adjust a header attribute (forexample, in MIME data) to identify that attachment data is encrypted asan alternative to or in addition to appending a suffix to a file or alink. The secure mobile gateway 128 can encrypt and/or decryptattachment data and/or attachment keys. The secure mobile gateway 128can be configured to initiate communication with the mobile devicemanagement system 126 to obtain device properties, device policies,public device keys, the like, or any combination thereof.

Device Agents, such as an operating system and/or the enterprise agent320 (FIG. 3), of the mobile device 120 can be configured to register themobile device 120 with the enterprise system 110 and to handle theencrypted data file type (for example, “.zendata”), decrypt theattachment data, and invoke the appropriate rendering and/or processingon the decrypted attachment data. The device agents of the mobiledevices 120 can be configured to obtain and/or manage a private devicekey.

The mobile device management system 126 can generate a device key. Themobile device management system 126 can distribute the device key or aportion thereof to a mobile device 120 and/or to a secure mobile gateway128. A suitable key can be used by the secure mobile gateway 128 toencrypt attachment data and another suitable key can be used by themobile device 120 to decrypt the encrypted attachment data. Forinstance, the mobile device 120 can receive a private device key fromthe mobile device management system 126, and the secure mobile gateway128 can receive a public device key from the mobile device managementsystem 126. The secure mobile gateway 128 need not include special keymanagement and/or key archiving, according to some embodiments. When anattachment is encrypted and a corresponding device key is subsequentlydestroyed, invalidated, and/or replaced, the encrypted attachment may beunrecoverable.

A number of different rules and/or policies related to protectingattachments can be implemented by the enterprise system 110. Forexample, features related to protecting attachments can be implementedbased on one or more properties of a particular mobile device 120 thatreceives attachment data. In this example, certain mobile devices 120with particular software applications installed thereon can enableattachment protection as a default. As another example, protectingattachments can be enabled and/or disabled based on one or moreproperties of a user of a mobile device 120 that is receiving theattachment data. For instance, an employee of the enterprise that islikely to receive attachments with sensitive and/or confidentialinformation, such as an executive and/or a member of the legal team, canhave attachments encrypted as a default. By contrast, an employee who isunlikely to receive attachments with sensitive and/or confidential datacan have attachment protection disabled as a default. As yet anotherexample, attachments can be protected based on one or more properties ofthe attachment itself, such as file name, file type, data included inthe attachment, or any combination thereof. For instance, the attachmentcan be searched for one or more key words and phrases, such as“confidential,” “proprietary,” “attorney-client privileged,” etc., andif such a key word or phrase is found the attachment can be encrypted.It will be appreciated that rules and/or policies can allow theenterprise to configure features related to protecting attachments in aflexible way, based on mobile device properties, user properties,attachment properties, the like, or any combination thereof. Any of therules and/or policies related to protecting attachments can beimplemented in combination with any of the other rules described herein,rules packages described herein, policies described herein, the like orany combination thereof.

Moreover, any of these rules and/or policies related to protectingattachments can be implemented by any suitable computer hardwaredescribed herein. For example, the secure mobile gateway 128 can beconfigured to enable and/or disable features related to protectingattachments, such as encrypting attachments, globally. The secure mobilegateway 128 can obtain policies from the mobile device management system126 related to protecting attachments. The mobile device managementsystem 126 can be configured to manage any selection policy related toprotecting attachments, such as which mobile devices 120 receiveencrypted attachments and/or what type of attachments are encrypted.

In a typical use case scenario, a mobile device 120 can receive an emailwith an attachment from an enterprise email server, such as an Exchangeserver, in accordance with an ActiveSync protocol. The mobile device 120can retrieve encrypted email attachments such that the attachment datasaved on the mobile device 120 is protected with device-specific keys.The saved attachment data can only be decrypted using an enterpriseagent 320 running on the mobile device 120, according to certainembodiments. For instance, the enterprise agent 320 can control andmanage the device-specific key used to decrypt the attachment data. Amobile device management system 126 can select or specify the mobiledevices 120 and/or users for which attachments are to be encrypted. Forexample, selected mobile devices 120 may be excluded from receivingencrypted attachments based on one or more mobile device managementsystem 126 policies and/or one or more secure mobile gateway 128policies.

Encrypted attachments that are forwarded and/or sent from a mobiledevice 120 can be decrypted by the secure mobile gateway 128 beforebeing delivered to new recipient(s). As a result, a new recipient withinthe enterprise can receive the attachment based on its policy. When thenew recipient is a mobile device 120 with an enterprise agent 320, theattachment data can be re-encrypted for that particular recipient mobiledevice 120. When the new recipient is an unmanaged mail client, theattachment data can be delivered unencrypted.

Example communications and events related to delivering an email with anattachment from an enterprise resource 130 to a mobile device 120 via asecure mobile gateway 128 will be described with reference to FIG. 31.Then example communications and events related to forwarding and/orsending an email from a mobile device 120 through a secure mobilegateway 128 and an enterprise resource 130 will be described withreference to FIGS. 32 and 33.

FIG. 31 illustrates an example of a process by which an email messagewith an encrypted attachment can be delivered to a mobile device 120. Inthis process, the secure mobile gateway 128 identifies an attachment toan email message being delivered to a mobile device 120. The securemobile gateway 128 can encrypt the attachment data prior to transmittingthe attachment to a mobile device 120. The attachment data can beencrypted and sent to the mobile device 120 either when the emailmessage is sent to the mobile device 120 or in response to a user of themobile device 120 attempting to open the attachment. The secure mobilegateway 128 can also encrypt an attachment key associated with theencrypted attachment data. In event A of FIG. 31, the mobile device 120transmits a sync request to the secure mobile gateway 128, for example,by way of the ActiveSync protocol. Then the secure mobile gateway 128transmits a sync request to an enterprise resource 130 in event B. Theenterprise resource 130 may, for example, be an enterprise email server,such as a Microsoft Exchange Server. In event C, the enterprise resource130 sends a sync response to the secure mobile gateway 128. The syncresponse can include email messages to be delivered to the mobile device120.

In event D of FIG. 31, the secure mobile gateway 128 processes an emailmessage being sent to the mobile device 120. Such processing can includedetermining whether the email message includes an attachment. Forinstance, when the enterprise email server sends a response thatincludes email messages in event C, the secure mobile gateway 128 canparse the response and programmatically identify attachments. Forexample, attachments can be identified from a name and a serverreference in a WBXML message. As another example, attachments can beidentified by being inlined in a MIME message. The secure mobile gateway128 can mark and/or modify the attachment in a detectable way. Forinstance, the secure mobile gateway 128 can rename an attachment. In oneembodiment, a suffix can be appended to the name of an attachmentdocument. For example, an attachment with an original name of “Foo.xyz”can be renamed to “Foo.xyz.zendata”.

An attachment can also be encrypted in event D of FIG. 31 when theattachment is inlined, such as in a MIME message, or otherwise includedwith the email in a substantially compete form. Any suitable attachmentcan be encrypted, such as a document (for example, a Word document, aPDF document, etc.). The secure mobile gateway 128 can also encrypt anattachment key associated with the attachment. The attachment key can begenerated by the secure mobile gateway 128 and/or received by the securemobile gateway 128 from the mobile device management system 126, forexample, as discussed in more detail with reference to FIG. 34. Theencrypted attachment key can be included in the new attachment file withthe encrypted attachment data.

The sync response from the enterprise email server and/or anotherenterprise resource 130 as modified by the secure mobile gateway 128 isdelivered to the mobile device 120 in event E of FIG. 31. This canprovide the mobile device 120 with encrypted attachment data in somecircumstances. For example, MIME messages with embedded, encryptedattachments can be provided to the mobile device 120. For some othertypes of messages, emails with renamed attachment references that can beused with subsequent requests to retrieve attachments are provided tothe mobile device 120.

For emails with attachment references, such as WBXML emails, a requestto retrieve attachments can be sent from the mobile device 120 in eventF of FIG. 31. Then, in event G, the secure mobile gateway 128 can detectthat the attachment reference has been marked and/or modified. Forexample, the secure mobile gateway 128 can programmatically identifythat that attachment reference includes a particular suffix previouslyadded by the secure mobile gateway 128, such as “zendata” in the exampleprovided above. The secure mobile gateway 128 can then unmap theattachment reference so that the enterprise email server and/or anotherenterprise resource 130 can process a request to provide the attachment.In some embodiments, this can involve a URL rewrite. In event H, thesecure mobile gateway 128 requests the attachment from the enterpriseemail server and/or another enterprise resource 130. Then the enterpriseemail server delivers the attachment to the secure mobile gateway 128 inevent I. The secure mobile gateway encrypts the attachment in event J.The secure mobile gateway 128 can also encrypt an attachment keyassociated with the attachment. The encrypted attachment key can beincluded in a file with the encrypted attachment data and/or providedseparately to the mobile device 120. Then in event K, the secure mobilegateway 128 delivers the encrypted attachment data to the mobile device128.

Email messages and associated attachments stored on a mobile device 120can be forwarded from the mobile device 120 to a new recipient. FIGS. 32and 33 illustrate examples of processes of forwarding an email messagefrom a mobile device 120. In the example illustrated in FIG. 32, asecure mobile gateway 128 can function as a pass through in transmittinga request to forward an email message with an attachment from the mobiledevice 120 to an enterprise resource 130, such as an enterprise emailserver. The process illustrated in FIG. 32 can be implemented insituations in which the email with the attachment is stored on theenterprise email server or in which the enterprise email serverotherwise has access to the attachment data. For instance, the mobiledevice 120 can send information identifying the attachment, such as areference, to the enterprise email server via the secure mobile gateway128. In some embodiments, the process of FIG. 32 can be implemented witha Smart Forwarding feature in which a marker is inserted in a forwardedemail message with an attachment. The enterprise resource 130 (forexample, an Exchange server or other enterprise email server) can insertthe attachment into the forwarded email message that is sent to therecipient by the Smart Forwarding feature. In this way, the mobiledevice 120 can forward the email message without downloading the entireemail message and attachment to the mobile device 120.

In event A of FIG. 32, the mobile device 120 sends, to the secure mobilegateway 128, a request to forward an email message that includes areference to the attachment. Then the secure mobile gateway 128 simplypasses through the email message to the enterprise resource 130 in eventB. The enterprise email server can then use the reference to identifythe attachment that is stored on the enterprise email server. The emailand the attachment can then be sent to the recipient via the processillustrated in FIG. 31 when the recipient is a mobile device 120associated with the enterprise. In event C, the enterprise resource 130responds to the secure mobile gateway 128 to confirm that the messagehas been sent. The secure mobile gateway 128 passes through the responseto the mobile device 120 in event D.

In the example illustrated in FIG. 33, the secure mobile gateway 128decrypts encrypted attachment data from the mobile device 120 whentransmitting a request to forward the email message with the attachmentfrom the mobile device 120 to an enterprise resource 130, such as anenterprise email server. The process illustrated in FIG. 33 can beimplemented in situations in which the email message with the attachmentis being transmitted from the mobile device 120. Such a process can beimplemented, for example, on mobile devices 120 in which the processillustrated in FIG. 32 is unsupported (such as mobile devices 120 thatdo not support Smart Forwarding) and/or disabled.

In event A of FIG. 33, the mobile device 120 sends a request to forwardan email message with an attachment to the secure mobile gateway 128.The request can include the encrypted attachment data. The secure mobilegateway 128 detects a previously encrypted attachment and decrypts theencrypted attachment data at in event B. For instance, the secure mobilegateway 128 can programmatically identify attachments that are markedand/or modified to indicate that they are encrypted, such as having thesuffix “.zendata” in an example provided above. More details regardingsome example decryption methods that can be performed in event B will bedescribed with reference to FIG. 35. In event C, the request to forwardthe email message including the decrypted attachment data is transmittedto the enterprise resource 130. The enterprise resource 130 responds tothe secure mobile gateway 128 to confirm that the message has been sentin event D. The secure mobile gateway 128 passes through the response tothe mobile device 120 in event E.

To encrypt email attachments, various keys can be generated, deliveredto other devices, encrypted, used to decrypt encrypted attachment data,the like, or any combination thereof. Although encryption of emailattachments may be described herein with reference to certain computingdevices performing particular functionalities for illustrative purposes,it will be understood that any of the features related to encryptingand/or decrypting an attachment described herein can be performed by anysuitable computing device. For example, some functions related toencryption/decryption or a subcombination thereof that are described asbeing performed by the secure mobile gateway 128 and/or the mobiledevice management system 126 can be performed by the mobile device 120.As another example, some functions related to encryption/decryption or asubcombination thereof that are described as being performed by eitherthe secure mobile gateway 128 or the mobile device management system 126can alternatively or additionally be performed by the other of the twocomputing systems.

In certain embodiments, the secure mobile gateway 128 can generate keysrelated to an attachment and the mobile device management system 126 cangenerate keys for selected mobile devices 120. For instance, the securemobile gateway 128 can generate a symmetric secure mobile gateway keySmgkey and store this key in a suitable data store. The symmetric securemobile gateway key Smgkey can be generated, for example, when the securemobile gateway 128 is being installed and/or when software is beinginstalled thereon. According to some embodiments, the mobile devicemanagement system 126 can generate an asymmetric key DeviceKeyassociated with a selected mobile device 120. Alternatively oradditionally, the mobile device management system 126 can generate anasymmetric key associated with a group of mobile devices 120, a user ofthe enterprise, the like, or any combination thereof. Such an asymmetrickey can be used in place of the asymmetric key DeviceKey or incombination with the asymmetric key DeviceKey. The mobile devicemanagement system 126 can distribute a private key DeviceKeyPr of theasymmetric key DeviceKey to the selected mobile device 120. The mobiledevice management system 126 can distribute a public key DeviceKeyPb ofthe asymmetric key DeviceKey to the secure mobile gateway 128.

FIG. 34 is a flowchart illustrating an embodiment of a method ofencrypting an attachment. Some or all of the method steps illustrated inFIG. 34 can be performed, for example, in event D and/or in event J ofFIG. 31. At block 3410, an attachment key AttachmentKey is generated.The attachment key AttachmentKey can be a symmetric key. The attachmentkey AttachmentKey can be generated by the secure mobile gateway 128.

The attachment key AttachmentKey is encrypted at block 3420. Forexample, the secure mobile gateway 128 can encrypt the attachment keyAttachmentKey with the secure mobile gateway key Smgkey. This producesan encrypted secure mobile gateway attachment keyEncyptedSmgAttachmentKey for the secure mobile gateway 128, which can beused by the secure mobile gateway 128 to decrypt the encryptedattachment data, for example, as described with reference to FIG. 35.Additionally, the secure mobile gateway 128 can encrypt the attachmentkey AttachmentKey with the public key DeviceKeyPb. This produces anencrypted device attachment key EncryptedDeviceAttachmentKey for themobile device 120, which can be used by the mobile device 120 to decryptthe encrypted attachment data, for example, as described with referenceto FIG. 35.

At block 3430, attachment data is encrypted with the attachment keyAttachmentKey to generate encrypted attachment data. The secure mobilegateway 128 replaces previous attachment data with encrypted attachmentdata at block 3440. The encrypted attachment keysEncyptedSmgAttachmentKey and EncryptedDeviceAttachmentKey can also beincluded with the encrypted attachment data. For example, the securemobile gateway 128 can replace attachment data with encrypted attachmentdata, the encrypted secure mobile gateway attachment keyEncyptedSmgAttachmentKey and the encrypted device attachment keyEncryptedDeviceAttachmentKey.

Encrypted attachment data can be decrypted in order to access theattachment data. In certain embodiments, a user can be prompted tolog-in or otherwise supply access credentials when accessing encryptedattachment data on a mobile device 120. To maintain the protection ofthe encrypted attachment data, the encryption keys associated with theattachment data can be provided to particular computing devices. Forinstance, as discussed with reference to block 3420 of FIG. 34, thesecure mobile gateway 128 can encrypt the attachment key AttachmentKeyspecifically for use with a selected mobile device 120 and/or the securemobile gateway 128. FIG. 35 is a flowchart illustrating an embodiment ofa method of decrypting an attachment. Some or all of the method stepsillustrated in FIG. 34 can be performed, for example, by either a mobiledevice 120 or the secure mobile gateway 128 when encrypted attachmentdata stored on the mobile device is accessed by an application on themobile device 120 and/or in event B of FIG. 33.

At block 3510, a computing device receives an encrypted attachment. Incertain embodiments, the computing device can also receive an encryptedattachment key with the encrypted attachment data. The encryptedattachment data and the encrypted attachment key can both be included inthe same file, according to some of these embodiments. The encryptedattachment key is decrypted at block 3520. Then, at block 3530, theattachment data is decrypted using the attachment key.

The method illustrated in FIG. 35 can be performed, for example, by anenterprise agent 320 on a mobile device 120. This can include the mobiledevice 120 receiving an encrypted attachment and an encrypted attachmentkey, for example, in accordance with the process illustrated in FIG. 31.The enterprise agent 320 of the mobile device 120 can decrypt anencrypted device attachment key EncryptedDeviceAttachmentKey with aprivate device key DeviceKeyPr. The decrypted device attachment key canbe the attachment key AttachmentKey. With the attachment keyAttachmentKey, the enterprise agent 320 of the mobile device 120 candecrypt the encrypted attachment data. This can provide the mobiledevice 120 with the original attachment data sent to the mobile device120 by an enterprise resource 130, such as an enterprise email server.Such data can be, for example, plain-text data.

The method illustrated in FIG. 35 can be performed, for example, on asecure mobile gateway 128. This can include the secure mobile gateway128 receiving an encrypted attachment, for example, when a mobile device120 forwards an email message with an encrypted attachment. The securemobile gateway 128 can decrypt an encrypted secure mobile gatewayattachment key EncryptedSmgAttachmentKey with the secure mobile gatewaykey Smgkey. The decrypted device attachment key can be the attachmentkey AttachmentKey. With the attachment key AttachmentKey, the securemobile gateway 128 can decrypt the encrypted attachment data. This canprovide the secure mobile gateway 128 with the original attachment datapreviously sent to the mobile device 120 by an enterprise resource 130,such as an enterprise email server. The secure mobile gateway 128 canthen forward the attachment data to the enterprise resource 130.

To support distribution and/or updating of public device keys, such asthe public device key DeviceKeyPb, a web service interface or othersuitable interface can be provided. The interface can enable a user todefine device/key pairs and/or user/key pairs. The interface can enablea user, such as an IT staff member or an enterprise networkadministrator, to update the key pairs by, for example, adding newpairs, replacing existing pairs, removing pairs, the like, or anycombination thereof. The interface can enable a user to map a mobiledevice 120 to a set of properties (for example, name/value pairs). Suchproperties can include the attachment public key, blocking attachments,blocking selected attachment types, blocking contact sync, blockingcalendar sync, client certificate ID, any of the other propertiesdescribed herein, the like, or any combination thereof.

Application Tunnels

With reference to FIGS. 1A-3, a tunneling mediator, such as thetunneling mediator 224 of the mobile device management system 126, canbe configured to receive access requests generated by softwareapplications 318 installed on the mobile devices 120, for access to theenterprise resources 130 (especially enterprise resources 130 comprisingsoftware applications), and to generate application tunnels between thedevice applications 318 and the enterprise resources 130. An applicationtunnel is a technique in which one network protocol (for example, thedelivery protocol) encapsulates a different network protocol. By usingtunneling, it is possible to, for example, provide a secure path throughan untrusted network.

One benefit of using application tunnels for communications betweenmobile device applications 318 and enterprise resources 130 is that itis possible to limit the mobile device's access to those enterpriseresources 130 that the user 115 of the mobile device 120 needs for theperformance of his or her enterprise role 206. Another potentialadvantage of using application tunnels is that access control can beprovided at the application level for pre-existing applications. Inpreferred embodiments, the application tunnels are defined at theapplication layer in the OSI model. This is in contrast to a virtualprivate network (VPN), a methodology which is widely used to provideremote offices or individual users secure access to their organization'snetwork. A VPN operates at the network layer (or lower) of the OpenSystems Interconnection (OSI) model and ordinarily provides users withfull access to all of the resources within an enterprise's computernetwork. A significant problem with using a VPN connection is that nosuitable mechanism exists for restricting access by the mobileapplications (and potentially mobile applications containing malware) tothe VPN connection. In contrast, as described below, each applicationtunnel may be exclusive to (available for use only by) a single,corresponding mobile application. By limiting access only to enterpriseresources 130 needed by a particular user 115, the use of applicationtunnels can promote enterprise network security.

As explained in further detail below, an additional benefit of usingapplication tunnels for communications between a mobile device 120 andan enterprise system 110 is that it allows the enterprise to improve theuser's connectivity experience (e.g., by caching data in the event of anetwork connection loss), log data flows, and implement other features.

In order to implement the application tunnels, a tunneling mediator canbe provided, through which the tunneled communications flow. Thetunneling mediator is a component that receives mobile deviceapplication communications formatted according to an encapsulationprotocol, “unpacks” or extracts data from the communications using theprotocol, and sends the unpacked or extracted data to a network resourcerequested or specified by the mobile device application. The tunnelingmediator also does substantially the same for communications sent by anetwork resource to a mobile device application via the tunnelingmediator. The tunneling mediator can comprise a software applicationinstalled on a server. The tunneling mediator can be located within theenterprise system 110 (e.g., the tunneling mediator 224 of the mobiledevice management system 126), or alternatively outside of theenterprise system 110 (e.g., in a cloud computing environment 156 as inFIG. 1B).

A tunneling mediator or enterprise agent 320 can use a tunnel definitionto construct an application tunnel, in accordance with methods describedbelow. The mobile device management system 126 illustrated in FIG. 2includes a repository 228 of tunnel definitions. A tunnel definition caninclude information to implement an application tunnel between a mobiledevice application 318 and a remote resource (such as an enterpriseresource 130). A tunnel definition can be specific to a particularapplication 318 or type thereof. Similarly, a tunnel definition can bespecific to a particular remote resource or type thereof. A tunneldefinition can identify a specific port of a mobile device 120 and/or aURL or specific port of a computer server on which the remote resourceis installed. Accordingly, a tunnel definition can include anapplication or server port and information mapping such a port to aclient port to specify the endpoints of an application tunnel. A tunneldefinition can also include a URL of a tunneling mediator, which can beuseful, particularly in implementations involving multiple tunnelingmediators. Multiple application tunnels can be mapped to a specific portof a mobile device 120 and/or a URL or specific port of a computerserver on which the remote resource is installed, and the multipleapplication tunnels can be multiplexed such that a single port of themobile device 120, and/or a URL or specific port of the computer serveron which the remote resource is installed, is used to implement multipleapplication tunnels. The mobile device management system 126 can beconfigured to send (e.g., push) at least portions of the tunneldefinitions 228 to mobile devices 120. For example, the tunneldefinitions can be sent with the “rule packages” described below. Theenterprise agents 320 can be configured to store the tunnel definitionslocally on the mobile devices 120, and use the tunnel definitions togenerate application tunnel formation requests, as described below.

A tunneling mediator or related system can include an interface, such asa web console, for viewing, creating, and editing tunnel definitions.The interface can also allow an administrator or other person to viewdata associated with mobile devices 120 adapted to connect viaapplication tunnels. At least some of the data can be obtained from therepository of mobile device information 204 (FIG. 2).

Many mobile device software applications 318 are capable of issuingnetwork communications (also referred to as “application-generatedcommunications”), including requests to access and communicate withenterprise resources 130. The enterprise agent 320 can be configured tointercept and/or receive these communications, and redirect at leastsome of them to URLs associated with one or more tunneling mediators,such as the mediator 224. The tunneling mediator can redirect theapplication-generated communications to requested enterprise resources130, receive responsive communications from the enterprise resources130, and forward the responsive communications back to the mobiledevices 120. Advantageously, the tunneling mediator can add a layer ofenterprise security by applying access policies 218 to grant or denyaccess, and restricting access only to the requested enterpriseresources 130.

In one embodiment, upon intercepting and/or receiving anapplication-generated communication for accessing an enterprise resource130 (or another resource), the enterprise agent 320 searches theapplication tunnel definitions stored in local storage to retrieve atunnel definition associated with the software application 318 thatproduced the application-generated communication, and/or associated withthe requested enterprise resource 130 (or other resource). Theenterprise agent 320 generates an application tunnel formation requestthat identifies the retrieved tunnel definition, and encapsulates atleast a portion of the application-generated communication within one ormore headers of an encapsulation protocol. The encapsulatedapplication-generated communication is also referred to herein as an“agent-generated communication.” The enterprise agent 320 sends theapplication tunnel formation request and the encapsulatedapplication-generated communication (which can together comprise asingle communication) to the tunneling mediator 224 (e.g., viaconnections 142 and 144 of FIGS. 1A and 1C, or via connections 142 and160 of FIG. 1B) or another such mediator defined in the tunneldefinition. Skilled artisans will appreciate that the defined tunnelingmediator can be one of a plurality of tunneling mediators associatedwith the agent 320 and enterprise system 110.

The tunneling mediator 224 receives the application tunnel formationrequest (which identifies the tunnel definition) and the agent-generatedcommunication. The tunneling mediator 224 can read the tunnel definitionidentified in the tunnel formation request and then retrieve theidentified tunnel definition from the repository 228. The tunnelingmediator 224 can determine, from the retrieved tunnel definition or evenfrom the information provided in the tunnel formation request, a URLand/or port of a computer server or other computing device on which therequested enterprise resource 130 is located. The tunneling mediator 224opens a network connection to the server port (e.g., the connection 152of FIGS. 1A and 1C, or the connection 162 of FIG. 1B). In someembodiments, the tunneling mediator 224 remains connected to theenterprise resource 130 at all times or during pre-scheduled timeranges, such that a connection can be available immediately upon thereceipt of an application tunnel formation request from a mobile device120. Based on the encapsulation protocol, the tunneling mediator 224extracts the application-generated communication from theagent-generated communication, and sends the former to the URL/serverport associated with the requested enterprise resource 130. At thispoint, an application tunnel has been formed between the mobile device120 and the requested enterprise resource 130. In some embodiments, thetunneling mediator 224 sends a message back to the mobile device 120 toindicate the formation of the tunnel, and asks that the enterprise agent320 affirmatively accept the tunnel before sending application-generatedcommunications to the enterprise resource 130. Once the tunnel isformed, the enterprise agent 320 can send additionalapplication-generated communications (encapsulated using theencapsulation protocol) to the tunneling mediator 224, which can forwardthem to the enterprise resource 130.

Communications in the opposite direction (e.g., from an enterpriseresource 130 to a mobile device application 318) can be encapsulated bythe tunneling mediator 224, sent by the tunneling mediator 224 to themobile device 120, and then unpacked by the enterprise agent 320, inaccordance with the encapsulation protocol. The tunneling mediator 224can communicate with the enterprise resource 130 as though the mediator224 is the mobile device application 318, and so that responsesgenerated by the enterprise resource 130 are returned to the tunnelingmediator 224 (e.g., via connection 152 of FIGS. 1A and 1C, andconnection 162 of FIG. 1B). When the tunneling mediator 224 receivessuch responses to the application-generated communications, thetunneling mediator 224 can encapsulate at least a portion of each ofthese “resource-generated responses” within one or more headers, such asHTTP headers, in accordance with the encapsulation protocol, and thensend the encapsulated response to the enterprise agent 320 (e.g., viaconnections 144 and 142 of FIGS. 1A and 1C, and connections 160 and 142of FIG. 1B). The tunneling mediator 224 can be configured to send itscommunications to a specific port of the mobile device 120, the portbeing defined in the tunnel definition associated with the operativeapplication tunnel. The enterprise agent 320 can be configured to“listen” to this local port for tunneled communications from thetunneling mediator 224. Based on the encapsulation protocol, theenterprise agent 320 can extract the resource-generated response fromthe one or more headers, and then provide the resource-generatedresponse to the application 318.

In this type of application tunnel, the software application 318installed on the mobile device 120 can be given an impression that it isconnecting directly with a resource (such as an enterprise resource 130)associated with the URL of the network request issued by the application318. In reality, the application 318 is actually communicating with theresource via a tunneling mediator (such as the tunneling mediator 224).Thus, the application 318 need not be aware of the tunnel's existence.

In some embodiments, the enterprise agent 320 can be configured tofilter out those application-generated communications that meetpredefined and/or configurable criteria. Such criteria can include, forexample, any one or more of the following, as well as various othercritera: (1) the URL (e.g., of the enterprise system 110, or of websites whose access is restricted by the enterprise), (2) server port(s)to which an application 318 attempts to send the request, (3) dataregarding the application that issues the request (e.g., name, version,etc.), (4) time of day, (5) day of the week, and/or (6) geographiclocation of the mobile device 120. Such filtering criteria can becommunicated to a mobile device 120 by the enterprise system 110 viawireless communications to the enterprise agent 320.

In one method of initiating the formation of an application tunnel, theenterprise agent 320 is configured to intercept theapplication-generated communications from the software applications 318.For instance, in mobile devices 120 running certain Microsoft™ operatingsystems (e.g., Windows Mobile™, Windows CE™), it is possible to use alayered service provider (LSP) to filter network requests issued bymobile device applications 318. An LSP, which is a feature of theMicrosoft Windows Winsock 2 Service Provider Interface (SPI), is a DLLthat uses Winsock APIs to insert itself into the TCP/IP protocol stack.Once in the stack, the LSP can intercept and modify inbound and outboundInternet traffic. The LSP can allow for processing of all the TCP/IPtraffic taking place between the Internet and the device's softwareapplications 318. The LSP can be configured to be loaded automaticallyby any application 318 that uses network connections. The LSP has alayered model, like a filter. Thus, every time an application 318 makesa network call, it goes through the LSP. The LSP allows the enterpriseagent 320 to intercept every application network communicationattempting to send information to one or more defined URLs, and redirectthe communication to a tunneling mediator, such as the mediator 224associated with the enterprise system 110. In this manner, theenterprise agent 320 can detect requests from the applications 318 toconnect to the enterprise resources 130, and modify and redirect therequests to a URL of the tunneling mediator. The enterprise agent 320can be configured to filter requests from the applications 318 by one ormore identified ports of the enterprise resources 130. The enterpriseagent 320 can be configured to select port(s) of the tunnelingmediator(s) to send the redirected requests, based at least partly onthe enterprise resource ports provided within the requests.

As noted above, after the tunneling mediator establishes an applicationtunnel connection between the mediator and the requested resource, themediator can send a notification thereof to the enterprise agent 320,and the enterprise agent 320 can accept the application tunnelconnection. All of this can happen transparently with respect to thesoftware application 318. The application 318 can send network requestsvia the tunneling mediator without modifications or reconfiguration ofthe application 318, according to certain embodiments.

Unfortunately, in some mobile devices it is difficult or even impossiblefor a mobile device 120 to intercept network connection requests issuedby software applications 318. Some mobile device operating systems (suchas iOS™ and Android™) can restrict the ability of different softwareapplications to interact and share data with each other. Suchrestrictions are sometimes referred to as the “sandboxing” of softwareapplications, and can be useful in preventing rogue applications fromstealing data from mobile devices 120 and sending the data tounauthorized Internet locations. This can prevent an enterprise agent320 from accessing or modifying network requests issued by theapplications 318.

Hence, another approach to initiating the formation of an applicationtunnel is to reconfigure how the software applications 318 send theirnetwork requests (or at least some of them). In certain embodiments, asoftware application 318 is reconfigured to send its network requests toa local host of the mobile device 120, on a defined mobile device port.The enterprise agent 320 can be configured to “listen” to the port andreact to an application's network request by establishing a connectionwith a tunneling mediator (if it is not already established) to open anapplication tunnel with a resource requested by the application 318. Theenterprise agent 320 can consult the relevant application tunneldefinition in order to determine the port to which to listen for theapplication tunnel request. In other embodiments, a software application318 is reconfigured to send at least some of its network requestsdirectly to the tunneling mediator. Further, the application 318 canalso be configured to “unpack” communications (encapsulated via theencapsulation protocol) received from the tunneling mediator. Anenterprise can make available an application store of downloadablemobile device applications 318 that are configured to generateapplication tunnel requests as described herein.

Encapsulation protocols for producing application tunnels are nowfurther described. The enterprise agent 320 or software applications 318(depending on which particular approach to forming an application tunnelis used) can be configured to modify the software application's networkconnection request using any of a variety of different methods orencapsulation protocols. An encapsulation protocol for use in anapplication tunnel can allow for the addition of metadata for variouspurposes. For example, the encapsulation protocol, via added metadata,can identify the particular application tunnel, which allows thetunneling mediator to distinguish the tunnel from other applicationtunnels that the tunneling mediator may simultaneously be handling. Thiscan help to prevent mixing data between the different applicationtunnels, helping to ensure that the tunneled data is delivered to thecorrect resource (e.g., enterprise resource 130). Stated differently,the encapsulation protocol may add metadata that enables multipleapplication tunnels to be multiplexed for transmission on a commonconnection. The added metadata can also specify the length of eachmessage sent through the tunnel. Added metadata can also be unrelated tothe application tunnel or to the application 318 that initiated thetunnel, such as a list of software applications 318 installed on themobile device 120, or results of commands sent to the mobile device 120by the mobile device management system 126. Such data can be used by themobile device management system 126 to update the mobile deviceinformation 204.

A typical network connection request generated by the softwareapplication 318 may use a multi-layered communication protocol involvingmultiple protocol headers. In a simplified example, the access requestgenerated by the software application 318 may take the following form:

[IP header][TCP header][HTTP header][SOAP header][SOAP body],

wherein “IP” refers to the Internet Protocol, “TCP” refers to theTransmission Control Protocol, “HTTP” refers to the Hypertext TransferProtocol, and “SOAP” refers to the Simple Object Access Protocol. Inthis example, the mobile device's enterprise agent 320 can be configuredto intercept this communication (e.g., by use of an LSP) at the TCPlayer, and then rewrap or encapsulate the TCP payload (which in thisexample is [HTTP header][SOAP header][SOAP body]) in multiple layersaccording to an encapsulation protocol used by the enterprise agent 320.For example, the enterprise agent 320 could rewrap or encapsulate theTCP payload within the following plurality of layers: SSL (SecureSockets Layer), TCP, IP, etc. The enterprise agent 320 can then send theencapsulated request to the tunneling mediator. In other embodiments, asdescribed above, the software application 318 can be configured to sendthe request to a local port of the mobile device 120 (from which theenterprise agent 320 receives, encapsulates, and redirects the requestto the tunneling mediator), or even encapsulate the request and send itdirectly to the tunneling mediator.

Upon receipt of the encapsulated request from the mobile device 120, thetunneling mediator can unpack the request according to the encapsulationprotocol. In the above example, the tunneling mediator extracts the TCPpayload generated by the mobile device's software application 318. Thetunneling mediator can then send the TCP payload to a URL/port (obtainedfrom the relevant tunnel definition 228) of the requested enterpriseresource 130 (e.g., a server port of the server on which the requestedenterprise resource 130 is installed). In the above example, theextracted TCP payload contains the higher level protocols, HTTP andSOAP. In certain embodiments, the encapsulation protocol uses SecureSockets Layer (SSL) over HTTPS to form the tunnel.

FIG. 5 is a flowchart illustrating an embodiment of a method in which anenterprise agent 320 of a mobile device 120 redirects communicationsgenerated by a mobile device application 318 to an enterprise resource130 through an application tunnel. In step 502, the application 318generates a network request for access to an enterprise resource 130 ofthe enterprise computer system 110. As explained above, this request cancomprise a payload for the enterprise resource 130, encapsulated withinother protocol headers (“application-generated communication”). In step504, the enterprise agent 320 intercepts or receives the request. Instep 506, the enterprise agent 320 modifies the request by encapsulatingsome or all of the request within one or more headers according to anencapsulation protocol (producing an “agent-generated communication”).For example, the enterprise agent 320 could encapsulate a portioncontaining the payload for the enterprise resource 130. In step 508, theenterprise agent 320 opens a network connection (e.g., connection 142,144 of FIGS. 1A and 1C, or connections 142, 160 of FIG. 1B) between themobile device 120 and a tunneling mediator (e.g., the tunneling mediator224) associated with the enterprise system 110. In step 510, theenterprise agent 320 sends the agent-generated communication to thetunneling mediator via the network connection. In step 512, theenterprise agent 320 receives data from the tunneling mediator, thereceived data being responsive to the request (“resource-generatedresponse”). The received data can be encapsulated according to theencapsulation protocol, and the enterprise agent 320 may need to unpackthe data, for example, according to the encapsulation protocol. Finally,in step 514, the enterprise agent 320 provides the received data to theapplication 318.

FIG. 6 is a flowchart illustrating an embodiment of the applicationtunneling methodology, from the perspective of the enterprise system110. As with all of the methods described herein, some of theillustrated steps can be optional. In step 602, a tunneling mediator ofor associated with the enterprise system 110 (e.g., the tunnelingmediator 224) receives a request from the mobile device application 318,for access to the enterprise resource 130. As explained above, therequest can comprise an agent-generated communication—anapplication-generated communication that the device's enterprise agent320 has intercepted or received, modified according to the encapsulationprotocol, and then redirected to the tunneling mediator (e.g., vianetwork communication links 142 and 144 of FIG. 1A). The request maycomprise a payload for the enterprise resource 130. In step 604, theenterprise system 110 can determine whether access to the enterpriseresource 130 is authorized. For example, as described below, the mobiledevice manager 202 or tunneling mediator 224 can determine whether therequest is permissible under one or more of the enterprise accesspolicies 218 of the mobile device management system 126. In step 606,the tunneling mediator extracts the payload for the enterprise resource130 from the encapsulated request after the request is authorized. Instep 608, the tunneling mediator or another component of the enterprisesystem 110 logs information about the request and/or the payload. Thislogging functionality is described in more detail below. In step 610,the tunneling mediator opens a resource network connection (e.g.,connection 152 of FIGS. 1A and 1C, or connection 162 of FIG. 1B) betweenthe tunneling mediator and a server port associated with the requestedenterprise resource 130. In step 612, the tunneling mediator sends atleast the enterprise resource payload to the server port via theresource network connection. In many applications, the enterpriseresource 130 responds to the request by sending data(“resource-generated response”) back to the mobile device 120.Accordingly, in step 614, the tunneling mediator receives data (e.g., aplurality of data packets) from the enterprise resource 130, via theresource network connection. The data is typically responsive to therequest received in step 602. In step 616, the tunneling mediator (oranother component) logs information about the data received from theenterprise resource 130. Finally, in step 618, the tunneling mediatorsends the data to the mobile device 120.

The illustrated logging steps 608 and 616 of FIG. 6 can allow anenterprise to keep track of data that flows through the resource networkconnection (e.g., connections 152, 162 of FIGS. 1A-1C) between thetunneling mediator and the enterprise resource 130. The use ofapplication tunnels for such logging enables user and device behaviorsto be tracked at more granular level, and with a greater level ofcontrol. For example, because each application tunnel is ordinarily tiedto a particular mobile device 120, user, and mobile application, datatransmitted over that tunnel can be stored in association with thismobile device, user and application. This gives an enterprise greatervisibility into the activities of its mobile device users 115. Thetunneling mediator (or other component associated therewith) can beconfigured to log various types of information, such as the actual datasent through the resource network connection, the amounts of data sentthrough the resource network connection, types of data sent through theresource network connection, names of files sent through the resourcenetwork connection, the number of times a particular user accesses oneor more enterprise resources 130, the times at which a user requestedaccess to one or more enterprise resources 130, etc. Analytics can begenerated from the logged data. The mobile device management system 126can set rules based on such analytics. As one example, access to one ormore enterprise resources 130 can be restricted for a mobile device 120with a high volume of downloads.

Application tunnels as described above can also be used for purposesother than accessing enterprise resources 130. For example, as describedbelow in connection with FIGS. 12, 13, and 18), an application tunnelcan be used to conduct a “remote control session” between a mobiledevice 120 and a controller computer.

Another use of an application tunnel involves so-called “web filtering”or “content filtering,” in which an enterprise may wish to restrict thenetwork sites (e.g., websites) or other online information resourcesthat a mobile device 120 is authorized to access. Using an applicationtunnel to perform content filtering can be implemented with featuresrelated to modifying a pre-existing mobile application, and/or throughthe use of a secure web browser as described below. Access can beauthorized, for example, at all times, only during business hours, etc.In certain embodiments, the enterprise agent 320 is configured toredirect intranet and/or Internet requests generated by the mobiledevice 120 (e.g., a URL entered into a web browser, or an HTTP requestgenerated by the web browser, for an information resource available onthe world wide web) through an application tunnel to a content-filteringserver associated with the enterprise. The content-filtering server actsas a tunneling mediator, and inspects each request to determine whetherthe requested site is authorized by the enterprise. For example, thecontent-filtering server can maintain a list of sites that are“blacklisted” by the enterprise, and can deny requests to accessblacklisted sites. In certain embodiments, this determination may bebased on the specific mobile device 120 and user 115 making the request(e.g., based on user role 206). The content-filtering server can belocated within or outside of the enterprise system 110, and could be athird-party server operated at least partially for the benefit of theenterprise. If the request is authorized, the content-filtering servercan send the request to a server associated with the authorized site tobe accessed by the mobile device 120. The content-filtering server canbe configured to modify the request to strip away any headers that wereproduced by the enterprise agent 320 to form an application tunnel withthe content-filtering server (according to the encapsulation protocol).The server associated with the requested site can then receive therequest in a form as though it was never sent to the content-filteringserver.

FIG. 25 illustrates an embodiment in which application tunnels arecreated using an enterprise agent 320 that runs on the mobile devices120 (one shown). In this embodiment, the enterprise agent 320 includes,or acts as, an HTTP proxy server 320 a for one or more mobileapplications that run on the mobile device 120. The enterprise agent 320communicates via a wireless network (WIFI, cellular, etc.) with themobile device management system 126, which may, for example, beimplemented on a dedicated server within the enterprise system 110. Themobile device management system 126 illustrated in FIG. 25 includes aweb admin console 126 a that enables administrators, via a web-basedinterface, to configure and deploy application tunnels between mobiledevices 120 and application servers 2500. The mobile device managementsystem 126 illustrated in FIG. 25 also includes a tunnel mediator 126 bwhich implements the tunneling encapsulation protocol, and which routespackets sent between the mobile devices 120 and application servers2500.

In this embodiment of FIG. 25, the enterprise agent 320, upon deploymentof the application tunnel, creates a socket that listens on a particularport that is known to the mobile application(s) that use the applicationtunnel. When a mobile application writes to this port (by writing tolocalhost:XXX, where “XXX” is the listened-to port number), theenterprise agent 320, acting at an HTTP proxy for the mobileapplication, encapsulates and forwards the message, for example, asdescribed above. More specifically, when a mobile application generatesan HTTP request that is directed to an application server 2500 (or otherresource) of the enterprise system 110, the enterprise agent 320intercepts the request, and sends the request over an application tunnelestablished between the mobile device 120 and the mobile devicemanagement system 126. The tunnel mediator component 126 b of the mobiledevice management system 126 then extracts the encapsulated HTTPmessage, and sends it to the relevant application server 2500.

One potential problem with this approach is that some applicationservers, such as Microsoft SharePoint, will reject the request if thehostname is incorrect. To address this issue, the enterprise agent 320,in some embodiments, replaces the hostname (localhost:XXX) in theintercepted request with the correct hostname of the target applicationserver 2500. This involves modifying the relevant HTTP header or headersof the original HTTP request received from the mobile application, andthen sending the modified HTTP request via the application tunnel. Inother embodiments, the task of replacing the hostname is insteadperformed by the mobile device management system 126 upon receiving andextracting the encapsulated HTTP request.

The process by which HTTP requests are intercepted and modified in theconfiguration of FIG. 25 is further illustrated in FIG. 27. In event A,an administrator configures and deploys an application tunnel between amobile device 120 and an application server 2500. This may beaccomplished using the web admin console 126 a as will be describedbelow. In event B, the agent 320, in response to the deployment of thetunnel, creates a socket and begins listening on the associated port(addressable as localhost:XXX). In event C, the agent 320, acting as anHTTP proxy, receives or “intercepts” an HTTP request from an applicationrunning on the mobile device 120, and modifies the hostname to theactual hostname of the target application server 2500. The agent 320then encapsulates the modified HTTP requests and sends it to the mobiledevice management system 126. In event D, the tunnel mediator 126 brunning on the mobile device management system 126 extracts the modifiedHTTP request and sends it to the application server 2500 associated withthe tunnel. The tunnel mediator 126 b also encapsulates the applicationserver's response for transmission to the mobile device 120.

FIG. 26 illustrates one embodiment of a tunnel configuration page/screenprovided by the web admin console 126 a of FIG. 25. An administrator canuse this page to set up an application tunnel between a particularmobile device 120 and an application server 2500. In the example shownin FIG. 26, the tunnel will be deployed on and specific to a singlemobile device 120. The “Application device parameters” section includesa “client port” field that is used to specify the port that the agent320 listens to on the mobile device 120. The “application deviceparameters” section also includes three options for specifying howtraffic is to be intercepted and redirected. The page also includesvarious other configuration options, including an option to use a secure(SSL) connection.

Referring again to FIG. 25, in some configurations a custom SSL (SecureSockets Layer) library 320 b may be installed on the mobile device 120to support secure application tunnels. The custom SSL library 320 b maybe part of the agent 320 (as shown in FIG. 25), or may be distinct. Thecustom SSL library 320 b supplements the standard SSL library providedby the mobile device's operating system, and modifies the SSLhandshaking protocol in a manner that enables the SSL handshakingsequence to be performed over an application tunnel. More specifically,the custom SSL library enables the mobile device 120 to accept theapplication server's transmission of a digital certificate even thoughthe hostname transmitted with this digital certificate does not matchthe expected hostname. By contrast, the standard SSL libraries typicallyprovided with existing mobile operating systems would reject theapplication server's digital certificate in this situation. The customSSL library 320 b may perform this task by overriding some of the TrustManager certificate inspection functionality to create an exception tothe mismatch in the hostname as part of the certificate. To support theuse of the custom SSL library 320 b, application developers may beprovided with an API (such as a Java file) that enables them to developmobile applications that use the custom SSL library 320 b to establishSSL connections.

FIG. 28 illustrates additional processing that is performed when theapplication tunnel is set up as a secure (SSL) tunnel in theconfiguration of FIG. 25. In this process, the custom SSL library 320 b(shown in FIG. 25) installed on the mobile device 120 creates anexception to the requirement that the application server's digitalcertificate must specify a hostname that matches the expected hostname.In event A of FIG. 28, an administrator configures and deploys the HTTPSapplication tunnel, preferably using the web administration console 126a. In event B, the agent 320 creates a socket and begins listening onport localhost:XXX, as described above in connection with FIG. 27.(Although not shown in FIG. 27, the agent 320 in this embodimentintercepts and modifies requests from applications using the sameprocess as shown in FIG. 27.) In event C, the mobile device 120, usingthe custom SSL library 320 b, initiates SSL handshaking with theapplication server 2500 via the application tunnel. This involves themobile device 120 sending a hello message, including the SSL version,encryption and compression information, and a 28-byte random number.This message is intercepted by the agent 320 (as described above withreference to FIG. 27), and is sent via the agent 320 to the mobiledevice management system 126, which forwards the message to theapplication server 2500.

In event D of FIG. 28, the application server 2500 responds by returninga digital certificate containing a public key and cipher suites. Thisdigital certificate contains or specifies the localhost hostname of theagent 320 (localhost:XXX). Ordinarily (i.e., if a standard SSL librarywere used), the SSL library would reject this digital certificatebecause it expects the digital certificate to specify the applicationserver's hostname. As shown in event E of FIG. 28, the custom SSLlibrary 320 b avoids this problem by making an exception to thisrequirement. The custom SSL library can create this exception byupdating the SSL Trustmanager to permit a mismatch between theapplication server's hostname and the localhost hostname used by theagent 320. (Although the exception could be created for all hostnames,this could facilitate a man-in-the-middle attack.) As further shown inevent E, the custom SSL library 320 b also sends to the applicationserver 2500 authentication code keys encrypted with the applicationserver's public key. Thereafter, for the duration of the SSL session,the mobile device 120 and application server 2500 can use symmetric keysfor encryption.

Use of Mobile Device Management System to Regulate Mobile Device Accessto Enterprise System

If the mobile device management system 126 is used as a tunnelingmediator for application tunnels between mobile devices 120 andenterprise resources 130, the system 126 can be configured to regulatethe devices' access to the resources 130. The system 126 can beconfigured to read information from the application tunnel requestheaders or bodies, compare it to the mobile device data 204 (FIG. 2) todetermine information about the user 115 and/or mobile device 120associated with the request, and enforce the enterprise access policies218 to grant or deny the application tunnel requests. Access policies218 can be enforced based on the locally stored user roles 206, mobiledevice properties 208, user-device assignments 210, other data, or anycombination thereof. It will also be understood that any tunnelingmediator other than the mediator 224 can be configured to enforce theaccess policies 218, as long as the tunneling mediator has access to themobile device information 204.

FIG. 7 is a flowchart illustrating an embodiment of a method in which atunneling mediator such as the mediator 224 in FIG. 2, uses accesspolicies 218 to regulate mobile device access to enterprise resources130. The mobile device management system 126 can be configured toreceive application tunnel access requests from mobile devices 120(e.g., via an application tunnel using network connections 142 and 144)to access the enterprise resources 130. Accordingly, in step 702 of FIG.7, the mobile device management system 126 receives an access requestfrom one of the mobile devices 120. In certain embodiments, when such arequest is received from a mobile device 120, the tunneling mediator 224is configured to deny the request if one or more properties of themobile device 120 and/or one or more properties of a user 115 assignedto the mobile device 120 do not comply with one or more of the accesspolicies 218. Accordingly, in decision step 704, the tunneling mediator224 determines whether one or more properties of the mobile device 120comply with one or more relevant access policies 218 (e.g., generalaccess policies, or access policies associated with the requestedenterprise resource(s) 130). The mobile device properties on which thetunneling mediator 224 can evaluate the access request can be the deviceproperties 208 or other properties determined from the request itself.If the mobile device properties ascertained from the access request donot comply with the relevant access policies 218, then, in step 710, thetunneling mediator 224 can deny the access request. On the other hand,if the mobile device properties are in compliance with the one or moreassociated access policies 218, then the method proceeds to decisionstep 706, in which the tunneling mediator 224 determines whether one ormore properties of the user 115 assigned to the mobile device 120 are incompliance with the one or more relevant access policies 218. Theproperties of the user 115 can be, e.g., the user's role 206 or otheruser-related information that may or may not be stored within the mobiledevice information 204. The tunneling mediator 224 can determine whichuser 115 is assigned to the mobile device 120 by, e.g., using theuser-device assignment records 210. If the one or more user propertiescomply with the one or more access policies 218, then the tunnelingmediator 224 grants the mobile device 120 access to the requestedenterprise resource(s) 30, in step 708 (through the connection 152 or162). If not, then the tunneling mediator 224 denies access in step 710.It will be appreciated that this methodology allows the enterprise toregulate mobile device access to the enterprise resources 130 in a veryflexible way, based on various combinations of mobile device propertiesand user properties.

As noted above, in some embodiments the tunneling mediator 224 ispositioned outside of the enterprise system 110 (e.g., in acloud-computing system as in FIG. 1B). It will be appreciated that themobile device information 204, enterprise access policies 218, mobiledevice rules 214, and/or remedial action descriptions 216 can also bestored outside of the enterprise system 110, such as with the tunnelingmediator 224. In those embodiments, the tunneling mediator 224 can stillbe configured to receive the access requests from the mobile devices120, and then grant or deny the requests based on the access policies218. In such embodiments, the tunneling mediator 224 can be configuredto send the granted access requests to a network node positioned withinthe enterprise system 110, which in turn routes the requests to therequested enterprise resources 130. For example, the network node cancomprise a computer server, the secure mobile gateway 128, or anothernetwork device.

Examples of Policies for Controlling Mobile Device Access to EnterpriseSystem Resources

There are many possible cases in which an enterprise may wish toregulate or restrict mobile device access to enterprise resources 130based on mobile device properties and/or properties of users 115assigned to the mobile devices 120. Several of these “use cases” are nowdescribed. For clarity, the use cases are enumerated below. Also, forsimplicity, the use cases are described in the context of accesspolicies 218 stored in the mobile device management system 126. Asdiscussed above, the system 126 can be a provider 408 of gateway rules404 to the secure mobile gateway 128, and/or can regulate mobile deviceaccess to enterprise resources 130 via application tunnels. However, itwill be appreciated that such gateway rules 404 could be created andgiven to the gateway 128 by any other provider 408.

Skilled artisans will understand that the following examples representonly a small portion of the full range of possibility for how enterpriseaccess can be regulated using the disclosed components and/or processes.For instance, it will be appreciated that the access policies 218 candepend on any combination of user 115 properties, mobile device 120properties (e.g., device properties 208), the specific enterpriseresources 130 for which access is being requested, and otherinformation, and that the specific examples provided below are merelyillustrative and far from exhaustive. Further, it will be understoodthat some use cases can be combined.

Use Case 1:

One or more of the access policies 218 may require that the mobiledevice 120 requesting access (the “access-requesting device”) isenrolled with the mobile device manager 202. This helps to preventgiving enterprise resource access to people who are not associated withthe enterprise.

Use Case 2:

One or more access policies 218 may require that the access-requestingdevice 120 be a certain device type (e.g., iPhone™, Windows Mobile™,etc.)

Use Case 3:

One or more of the access policies 218 may require that theaccess-requesting device 120 have certain settings, such as beingpassword-protected. This helps to prevent giving enterprise resourceaccess to people who are not associated with the enterprise (e.g., arenot users 115) but somehow obtain a mobile device 120 (e.g., a device120 that is misplaced or lost by the assigned user 115) and attempt toaccess the enterprise system 110.

Use Case 4:

One or more of the access policies 218 can require that theaccess-requesting device 120 use a current operating system version.

Use Case 5:

One or more of the access policies 218 can require that theaccess-requesting device 120 complies with a security requirement (e.g.,an antivirus requirement) of the enterprise. If a mobile device 120 isnot security-compliant (e.g., does not have up-to-date antivirussoftware installed or has not conducted a sufficiently recent auto-scanof its files, data, or applications for viruses), then permitting thedevice 120 to access an enterprise resource 130 may cause the virus toinfect the resource 130, potentially jeopardizing the operability of theenterprise system 110 or at least the specific resource 130 to whichaccess is given. Hence, these types of access policies 218 can preventsuch undesirable outcomes.

Use Case 6:

One or more of the access policies 218 can require that theaccess-requesting device 120 not be “jailbroken.” Jailbreaking is aprocess that allows a mobile device 120 to gain full access (“rootaccess”) to unlock all features of its operating system, therebyremoving limitations that may be imposed by the device manufacturer.Once jailbroken, a mobile device 120 may be able to download previouslyunavailable applications and extensions. Jailbreaking a mobile device120 can give access to its root file system, allowing modification andinstalling third-party software components. Hence, a jailbroken deviceis often one in which security protections are removed. Thus, preventingjailbroken devices from accessing enterprise resources 130 furtherprotects the enterprise system 110 from security threats andvulnerabilities.

Use Case 7:

One or more of the access policies 218 can require that theaccess-requesting device 120 not have any unauthorized applicationsinstalled. In this example, an “unauthorized application” can be asoftware application that is not authorized to be installed on theaccess-requesting device 120, and/or on a particular group of devices120 of which the access-requesting device is a member.

Use Case 8:

One or more of the access policies 218 can require that the user 115assigned to the access-requesting device 120 have one or more predefinedroles 206 associated with the enterprise. For example, an access policy218 can deny mobile device access to one or more of the enterpriseresources 130 for mobile devices 120 assigned to users 115 having roles206 that are not related to sales, engineering, or upper management.

Use Case 9:

One or more of the access policies 218 can depend on which particularenterprise resources 130 are being requested to be accessed by anaccess-requesting device 120. For example, the conditions for which anenterprise may grant mobile device access to a CRM resource may bedifferent than the conditions for which an enterprise may grant accessto a product information database. Accordingly, different accesspolicies 218 can be created and used for different enterprise resources130. In addition to depending on the requested enterprise resource(s)130, an access policy 218 can require that the user 115 assigned to theaccess-requesting device 120 have certain properties, such as a specificrole 206 (as in Use Case 8 described above) or another statusindication. For example, for a CRM resource 130, an enterprise may wishto grant mobile device access only to users 115 with roles 206 involvingsales or upper management. In that case, an access policy 218 for theCRM resource 130 may require that the user 115 assigned to theaccess-requesting device 120 have a sales or upper management role 206,and the mobile device manager 202 can be configured to deny accessrequests from mobile devices 120 assigned to users without those roles206. An access policy 218 can further require that the user 115 assignedto the access-requesting device 120 be in good standing with theenterprise (e.g., users 115 whose employment is not terminated and whoare not on a probationary status).

Meta-Application

Referring again to FIG. 1A, the meta-application 150, if present, can beconfigured to discover, model, and/or monitor various components of theenterprise system 110, including by methods described in Qureshi '536.The meta-application 150 can also be configured to use encoded logicrules to detect “features” and “problems,” perform “root causeanalysis,” plan “remedial actions,” and/or execute the remedial actionson the enterprise system 110, including by methods described in Qureshi'536. In this context, a logic rule can comprise a logical combinationof features of the managed system 110, and can correspond to at leastone problem. Further, a logic rule can include queries for specificinformation from the enterprise system (“telemetry queries”) or from amodel of the enterprise system (“enterprise model query”), wherein theenterprise model is generated by the meta-application 150. A problem cancomprise any problematic state of any software, hardware, or firmware ofthe enterprise system 110 or of a mobile device 120. Themeta-application 150 can detect a problem by satisfying the logic of acorresponding logic rule. A feature can comprise a condition of aproblem. For example, a logic rule can contain a telemetry query orenterprise model query for detecting a feature of the enterprise system110. Root cause analysis can refer to the detection of a component(again, software, hardware, firmware, or even the relationship betweensuch types of components) that is a “root cause” of observed problematicbehavior. The meta-application 150 can be configured to address detectedproblems by planning or executing remedial actions associated with theproblems.

Inputs (e.g., features) to the logic rules used by the meta-application150 to detect problems can come not only from the “backend” of theenterprise system 110 (the portion of the system 110 behind the internalfirewall 124), but also from other sources, such as the secure mobilegateway 128, the enterprise agents 320 on the mobile devices 120, or anapplication tunnel mediator, such as embodiments of the mobile devicemanagement system 126. For example, an input to a logic rule can be agrant or denial of a mobile device's access request 402 by the securemobile gateway 128. For instance, a logic rule can define a particularproblem, at least in-part, as the denial by the gateway 128 ofenterprise system access to a mobile device 120 used by the CEO of theenterprise. If the CEO is denied access, data indicative of this eventsatisfies this portion of the logic rule. In another example, an inputto a logic rule can be data indicating that a user 115 has downloadedgreater than a certain threshold amount of data within a specified timeperiod. Such data could be provided to the meta-application 150 by anapplication tunnel mediator. In still another example, an input to alogic rule can be data indicative of the device's configuration orperformance, such as data indicating that a user 115 has installed acertain software application on the user's mobile device 120. Such datacould be provided to the meta-application 150 by the enterprise agent320 of the user's device 120.

In certain embodiments, one type of remedial action defined by a logicrule used by the meta-application 150 can be the creation of a newgateway rule 404 or the modification of an existing gateway rule 404,along with sending the new or modified gateway rule to the secure mobilegateway 128. In this manner, the meta-application 150 can be configuredto programmatically control the gateway 128 to block mobile deviceaccess requests in an automated fashion. Another type of remedial actioncan be the creation of a new access policy 218 or the modification of anexisting access policy 218, along with sending the new or modifiedpolicy to the mobile device management system 126. Another type ofremedial action can be the creation of a mobile device rule 214 or themodification of an existing mobile device rule 214, along with sendingthe new or modified mobile device rule to the mobile device managementsystem 126 and/or one or more of the mobile devices 120. Another type ofremedial action can be to send a command directly to one or more of themobile devices 120, for execution by the enterprise agent 320. In thismanner, the meta-application 150 can effectively execute actions on thedevices 120, such as wiping data or applications from the devices 120,locking (i.e., preventing usage of) the devices 120, preventing certainapplications installed on the devices from running, turning devicefeatures on or off, adjusting device settings, and the like.

In the embodiment of FIG. 1C, the meta-application comprises a portion150 residing in the enterprise's backend, and a portion 151 residing ina cloud computing system or “cloud” 156. The cloud-based system 156 isordinarily separate and distinct from the enterprise system 110 (e.g.,the two systems do not share any physical computers or servers) and isordinarily operated primarily by cloud service provider business entitythat is separate and distinct from the enterprise. In certainembodiments, the backend meta-application portion 150 collects data fromthe enterprise system 110, sends it to the cloud-based meta-applicationportion 151, and possibly also detects “features” as mentioned above. Incertain embodiments, the cloud-based meta-application portion 151 usesthe data to model the enterprise system 110, to detect “problems” and“root causes,” to plan remedial actions, and/or to execute the remedialactions.

FIG. 8 shows one particular embodiment of a partially cloud-basedmeta-application. The meta-application includes several componentsresiding on enterprise servers 802, and other components residing onservers within the cloud 156. Additionally, the meta-applicationcommunicates with the mobile device management system 126, the securemobile gateway 128, and the enterprise device agents 320 running on themobile devices 120.

In the illustrated embodiment, the enterprise system 110 includes one ormore computer servers 802, which can include some or all of the elementsshown in the systems 110 of FIGS. 1A-C. A meta-application agent 804 canbe installed on each server 802 having components that are desired to bemonitored and/or managed by the meta-application 150. Eachmeta-application agent 804 can be “born” (at installation) with the URLof the cloud-based meta-application portion. Alternatively, the agents804 can be configured to receive the URL from an administrator. It willbe understood that it is not necessary to install meta-applicationagents 804 on every computer server of the enterprise system 110. Theenterprise-based portion of the meta-application can be configured toallow an IT administrator to select the enterprise servers 802 on whichto install the meta-application agents 804, as part of the installationprocess of the meta-application.

In the illustrated embodiment, the meta-application agent 804 includesan enterprise modeling processor 806, a telemetry processor 808, afeature detector 810, and a remedy agent 812. These components are nowdescribed.

The enterprise modeling processor 806 can be configured to access and/orobtain information from the server 802, which is needed or useful forconstructing a queriable model 814 of the enterprise system. Theenterprise model 814 can describe the hardware, software, and/orfirmware of the enterprise system 110, and can include, for example,configuration information, registry data, database information, andother information useful for evaluating logic rules 818. The enterprisemodel 814 can comprise an object graph, with the objects representinghardware, software, firmware, relationships therebetween, and the like.Exemplary methods and approaches to modeling are described in Qureshi'536, particularly the sections relating to “discovery” and “applicationmodels.” Each enterprise modeling processor 806 can be configured toconstruct a model of the particular server 802 on which it is installed.The cloud-based meta-application portion can be configured to receivedata from the enterprise modeling processors 806 and use the data toconstruct the overall enterprise model 814. The enterprise modelingprocessors 806 can be configured to send new data to the cloud-basedmeta-application portion on an ongoing basis, to support dynamicupdating of the enterprise model 814. Finally, it will be appreciatedthat the enterprise agents 320 of the mobile devices 120 can also beconfigured to conduct discovery of information about the devices 120 andsend the discovered information to the enterprise model 814, and theenterprise model 814 can thereby model one or more of the devices 120 aswell as the enterprise system 110. In other words, agents 320 caninclude enterprise modeling processors 806 or similar functionality.

The telemetry processor 808 can be configured to receive, from thecloud-based meta-application portion 151, requests for specific dataabout the server 802 on which it is installed. The telemetry processor808 can be configured to respond to such a request by gathering therequested data (referred to herein as “telemetry”) and providing it tothe feature detector 810 for analysis. The telemetry can comprise manydifferent types of data about the hardware, software, and/or firmware ofthe enterprise system 110, including without limitation configurationdata, performance data, data about the mobile devices 120, and data fromor about the mobile device management system 126, secure mobile gateway128, and enterprise resources 130. Telemetry can comprise “state metricdata,” as described in Qureshi '536. State metric data can comprise rawtime-varying data indicative of a state of the server 802 or anycomponent thereof. It will be appreciated that the enterprise agents 320of the devices 120 can also be configured to gather device data based onrequests for same from the meta-application portion 151, and to send thegathered telemetry to a local feature detector 810 or back to themeta-application portion 151. In other words, agents 320 can includetelemetry processors 808 or similar functionality.

The feature detector 810 can be configured to analyze the telemetryreceived from the telemetry processor 808, to detect features of thelogic rules 818. The features can be defined within a telemetry querythat the cloud-based meta-application portion sends to themeta-application agent 804. Performing feature detection at least partlywithin the enterprise system 110, as opposed to within the cloud 156,can significantly reduce the bandwidth for communications between themeta-application agent 804 and the cloud 156, because not all of thetelemetry is sent to the cloud 156 in certain applications. Forinstance, the meta-application agent 804 can merely send the detectedfeatures to the cloud 156. Skilled artisans will understand that afeature can be much less data-intensive than the raw telemetry fromwhich the feature is detected. For example, a feature can simply be anindication that a particular condition is true. In an alternativeembodiment, the feature detector 810 resides within the cloud 156, andthe telemetry processor 808 can send some or all of the gatheredtelemetry to the cloud for feature detection. It will be appreciatedthat the enterprise agents 320 of the mobile devices 120 can also beconfigured to analyze telemetry gathered in response to a request fromthe meta-application portion 151, in order to detect features of thelogic rules 818 and send those features back to the meta-applicationportion 151. In other words, agents 320 can include feature detectors810 or similar functionality.

The remedy agent 812 can be configured to execute remedial actions 820on the server 802 on which it is installed. The meta-application agent804 can receive remedial actions 820 from the cloud-basedmeta-application portion. Although not shown in FIG. 8, the mobiledevice management system 126 can include a remedy agent 226 (FIG. 2),and so can the secure mobile gateway 128. Such remedy agents can allowthe meta-application to execute remedial actions against the mobiledevice management system 126 and the secure mobile gateway 128. It willbe appreciated that the enterprise agents 320 of the mobile devices 120can also be configured to execute remedial actions 820 on the devices120. In other words, agents 320 can include remedy agents 812 or similarfunctionality.

Referring still to FIG. 8, the illustrated cloud-based meta-applicationportion 151 includes a telemetry monitor 822, the enterprise model 814,logic rules repository 816, inference engine 824, repository 826 ofdetected problems and/or root causes, user interface 828, notificationmanager 830, and remedy workflow module 832. It will be understood thatthe cloud-based meta-application portion need not include all of thesecomponents, and can also include additional components not shown in FIG.8.

The telemetry monitor 822 can manage communications between thecloud-based meta-application portion and the meta-application agents804, as well as any other components that provide data that thecloud-based meta-application portion can use to evaluate the logic rules818, such as the enterprise agents 320 of the mobile devices 120, themobile device management system 126, and the secure mobile gateway 128.Hence, the telemetry monitor 822 can receive features detected by thefeature detectors 810, and can provide the features to the inferenceengine 824. The telemetry monitor 822 can be configured to prioritizeincoming features and other data, so that more important or urgentinformation is passed on to other components of the meta-applicationbefore less important or less urgent information.

The inference engine 824 can be configured to access the repository 816of logic rules 818 and evaluate whether individual rules 818 aresatisfied by features of the deployment, wherein each satisfied rulecorresponds to the detection of at least one problem. A logic rule 818can include queries for information, such as a telemetry query or anenterprise model query. The inference engine 824 can be configured toprocess these queries of the logic rules 818 by querying the enterprisemodel 814 or relevant ones of the meta-application agents 804 for theneeded information (e.g., features of the rule). The inference engine824 can also be configured to perform root cause analysis to detect rootcauses of problematic behavior of the enterprise system 110. A rootcause can be an object of the enterprise model 814, which represents acomponent of the enterprise system 110. The inference engine 824 can beconfigured to employ rule evaluation methods and root cause analysismethods as taught in the '536 Qureshi patent (refer to discussions of“Problem Logic” and root cause analysis, respectively). The inferenceengine 824 can further be configured to log detected problems and rootcauses in a repository 826.

The user interface 828 can allow administrators to interact with thecloud-based meta-application portion. The illustrated user interface 828comprises a web server interface to facilitate access over the Internet.The user interface 828 can also include a server terminal interface aswell.

The notification manager 830 can be configured to send notifications toadministrators about information detected or computed by themeta-application, such as problems and root causes. Notifications cancomprise, for example, emails, voice messages, SMS text messages, andthe like. Preferably, the notification manager 830 allows an ITadministrator to set and adjust the criteria under which thenotification manager 830 sends notifications.

The remedy workflow module 832 can be configured to select remedialactions 820 for attempting to solve or counter problems or root causesdetected by the inference engine 824. The remedial actions 820 can bestored in the repository 816 of logic rules 818. A remedial action 820can be stored in association with one or more of the logic rules 818.The remedy workflow module 832 can be configured to determine an optimalsequence of execution of remedial actions 820 associated with thedetected problems or root causes. The remedial actions 820 can beabstract or generalized for many different types of managed computersystems 110. In that case, the remedy workflow module 832 can beconfigured to customize the remedial actions 820 into plans that aretailored for the specific enterprise system 110 and mobile devices 120managed by the meta-application. The remedy workflow module 832 can beconfigured to send the customized plans and/or other instructions to theremedy agents 812 of the meta-application agents 804, to similar remedyagents of the mobile device management system 126 and secure mobilegateway 128, or to the enterprise agents 320 installed on the mobiledevices 120. These remedy/enterprise agents can be configured to executethe plans and/or other instructions on such systems and devices. A plancan require human (e.g., an IT administrator) confirmation of plan stepsat stages of the plan. A plan can also be designed to be executed by theremedy agent 812 without human intervention or approval.

The meta-application 150 of FIGS. 1A and 1B can include all of thecomponents illustrated in FIG. 8, including the components residingwithin the cloud 156, and all of such components can reside within theenterprise system 110.

Meta-application components installed on the mobile devices 120 (e.g.,within the enterprise agents 320 or separately) can be configured tocollect state metric data from the devices 120 and send the data back tothe cloud-based meta-application portion 150 and/or the enterprisesystem 110. Such data can be collected regularly (e.g., periodically) orupon specific request by the cloud-based or enterprise system-basedmeta-application portions. Such data can be analyzed (e.g., by theinference engine 824 using the logic rules 818) to diagnose problemsinvolving the devices 120, and to select remedial actions for addressingsuch problems. Such analysis can be conducted even if there is nocurrently available connection to the device 120.

Persons of ordinary skill in the art will understand that themeta-application can be configured to enforce and implement a widevariety of different types of logic rules 818 and remedial actions 820involving the mobile devices 120. For example, a logic rule 818 candefine a problem as the downloading of more than a particular thresholdamount of data to a mobile device 120. The enterprise backend portion ofthe meta-application can detect the throughput of data downloaded to auser's device 120 and determine if it exceeds the threshold defined inthe rule 818. A remedial action 820 associated with the rule 818 canrequire the disabling of the mobile device 120, or perhaps merely thedisabling of the device's ability to download data. Such remedialactions 820 may involve the meta-application sending to the device'senterprise agent 320 a command or script configured to enforce theremedy. Alternatively, the remedial action 820 can require therevocation of the mobile device's certificate by the mobile devicemanagement system 126. Still further, the rule 818 can revoke thedevice's permission to use application tunnels for communicating withenterprise resources 130 or other network resources.

In another example, the meta-application 150 can be configured to creategateway rules 404 based at least partly on the time(s) at which a mobiledevice 120 was “wiped” (e.g., deletion of some or all data stored on thedevice or removal of software application(s) from the device).

In an embodiment in which the meta-application 150 is configured tomanage Microsoft Exchange™, the meta-application 150 can have fullvisibility into the ActiveSync partnership data for the mobile devices120 associated with the enterprise. The meta-application 150 can use theActiveSync partnership data to generate gateway rules 404 that filtermobile device access requests 402 based on such data. For example, theActiveSync partnership data includes the ActiveSync DeviceID's of themobile devices 120. The meta-application 150 can use this information togenerate gateway rules 404 that filter access requests 402 based on theknown DeviceID's.

Device-Resident Management System

In certain embodiments, an enterprise may wish to regulate the settings,applications, uses, other activities, or any combination thereofassociated with the mobile devices 120 used by the enterprise's users115. This can safeguard against threats to the security of enterprisedata and resources and/or to address productivity risks—the risk ofusers using their mobile devices 120 in ways that can negatively affectuser productivity in meeting the user's duties toward the enterprise.Such embodiments are now described.

With continued reference to FIG. 2, the illustrated mobile devicemanagement system 126 includes a computer-readable storage repository212 storing a plurality of different mobile device rules 214. Thestorage repository 212 can be implemented on any suitable non-transitorycomputer-readable medium. A mobile device rule 214 can be an encoded,computer-readable rule configured to be used by a mobile device 120(e.g., by an enterprise agent 320 installed on the mobile device 120) todetect a problem indicative of a security risk and/or a productivityrisk to which the device 120 can expose the enterprise. Numerousexamples or “use cases” of problems that can be detected using themobile device rules 214 are described below.

The mobile device rules 214 can be relatively simple, taking the formof, for example, IF-THEN statements and/or simple declarative logicrules. In other embodiments, the mobile device rules 214 can be muchmore complex, such as the logic rules described in Qureshi '536, whichdescribes logic rules that are configured to be used to generate virtualcircuits that have atomic gates and downstream operator gates. Themobile device rules 214 can include metadata for calculating variousparameters associated with the rules and related problems, such as aconfidence value indicative of a confidence in the detection of theproblem associated with a mobile device rule 214, for example, as taughtby Qureshi '536.

In some embodiments, a mobile device rule 214 has the following format:

-   -   <rule name>    -   <security key><authentication information>    -   <encrypt><rule body>        The rule name can be a name of the particular mobile device rule        214. If the rule 214 is encrypted, the security key can allow        the enterprise agent 320 to decrypt the rule body. The        authentication information can include data concerning the        applicability of the rule to the mobile device 120. The        enterprise agent 320 can use the authentication information to        determine whether the rule 214 can run on the mobile device 120.        The rule body includes the underlying logic of the rule, and is        the part that the enterprise agent 320 evaluates in order to        detect problems and execute one or more associated remedial        actions 216.

In certain embodiments, a mobile device rule 214 maps one or more mobiledevice state metric data values to one of a plurality of theaforementioned problems indicative of security risks and/or productivityrisks to which the devices 120 can expose the enterprise. A “statemetric” can be any data item indicative of a mobile device state, suchas error log entries, records of activations of device features,operating system version, installed software applications 318 (includingapplications that the enterprise may have “blacklisted” as not beingauthorized for installation), whether the mobile device 120 is roaming,a battery level of the mobile device 120, a signal strength of a signalreceived by of the mobile device 120, available memory of the mobiledevice 120, etc. For example, a “state metric” can be a metric thatindicates whether a mobile device feature (e.g., a camera, web browser,password-protection, etc.) has been activated. Another example of astate metric is an indicator of whether the mobile device's SIM card isproperly engaged with the mobile device 120. Other examples of statemetrics will be apparent from the examples of mobile device ruleapplications provided below.

With continued reference to FIG. 2, the repository 212 can include aplurality of encoded, computer-readable remedial actions 216 forcountering the problems. In some embodiments, each of the remedialactions 216 corresponds to one or more of the problems associated withthe mobile device rules 214. Examples of remedial actions 216 areprovided below. In some embodiments, the mobile device management system126 (or another component of the enterprise system 110) can includetools 221 that assist IT personnel in the creation and/or editing ofmobile device rules 214 and/or remedial actions 216. Such tools 221 cancomprise, e.g., a customized word processor or other softwareapplication with extensions, tutorials, and the like to help constructthe rules 214 and/or actions 216.

In certain embodiments, the mobile device rules 214 and their associatedremedial actions 216 are organized into separate “rule packages,” eachrule package including one or more of the rules 214 and preferably therules' associated remedial actions 216. Each rule package can bedesigned or customized for users 115 with specific types of user roles206 and/or mobile device properties 208. Accordingly, each rule packagecan be associated with one or more of the user roles 206, and/or withone or more of the mobile device properties 208. For example, a rulepackage of mobile device rules 214 and associated remedial actions 216can be prepared for all users 115 having roles 206 that that aresales-oriented (e.g., all sales people of the enterprise). As anotherexample, one rule package can be prepared for people using iPhones™ andanother rule package can be prepared for people using Android™ devices.If it is desired to differentiate the permissible activities associatedwith mobile device users 115 having a given role 206, based ondifferences in their mobile device properties 208, then different rulepackages of mobile device rules 214 and associated remedial actions 216can be formed for the different types of mobile devices 120. Forexample, an enterprise can form one rule package of mobile device rules214 and remedial actions 216 for sales people using iPhones™, anotherrule package of mobile device rules 214 and remedial actions 216 forsales people using Android™ devices, and so on. In this manner, rulepackages can be customized as desired for different user roles 206and/or mobile device properties 208.

It will be appreciated that different mobile device rule packages canshare common mobile device rules 214 and/or remedial actions 216. Forexample, suppose that a first mobile device rule and an associatedremedial action is suitable for sales people and corporate boardmembers, and a second mobile device rule and associated remedial actionis only suitable for sales people. A rule package for users 115 that aresales people can include the first and second mobile device rules andtheir remedial actions, while a mobile device rule package for users 115that are board members of the corporate enterprise may include the firstmobile device rule and remedial action but not the second mobile devicerule and remedial action. Many other examples are possible and are inaccordance with the principles and advantages described herein.

The mobile device manager 202 is preferably responsible for sendingappropriate rule packages to the mobile devices 120, based on, e.g., theproperties 208 of the mobile devices and/or the roles 206 of the users115 assigned to the mobile devices. In certain embodiments, a deploymentrule is associated with each rule package or individual mobile devicerule 214 and associated remedial actions 216. The mobile device manager202 can be configured to use the deployment rule to determine whichmobile devices 120 to send the rule package or individual mobile devicerule 214 and associated remedial actions 216. A deployment rule cancause the mobile device manager 202 to access the mobile deviceinformation 204 to identify the mobile devices 120 whose assigned users115 have a role 206 associated with a given one of the rule packages orrules, and/or the mobile devices 120 whose properties 208 are associatedwith the given rule package or rule. Further, the mobile device manager202 can be configured to send the given rule package (including mobiledevice rules 214 and/or remedial actions 216) to the identified mobiledevices 120. In this manner, the mobile device manager 202 can send theappropriate mobile device rule package(s) to each mobile device 120.

For example, suppose that a new mobile device user 115 (e.g., a newemployee) joins the enterprise. The new user's role information 206and/or mobile device properties 208 can be entered (by administratorsand/or by a computer-automated process) into the enterprise's mobiledevice information 204. In one embodiment, the user's role information206 is entered into an RBAC system of the enterprise, and a softwaremodule (such as the mobile device manager 202) transfers the roleinformation 206 to the mobile device information 204. In anotherembodiment, the user role information 206 of the mobile deviceinformation 204 is an RBAC role repository that directly supports anRBAC system. The mobile device manager 202 can be configured to use thenew user's role information 206 and/or mobile device properties 208 todetermine an appropriate mobile device rule package to send to the newuser's mobile device 120. In another embodiment, the mobile deviceinformation 204 does not come from or support an RBAC system.

In another example, suppose that an enterprise modifies its policiesregarding a particular group of mobile device users 115. IT personnelcan modify a mobile device rule package customized for the particularuser group. This can include creating new mobile device rules 214 forthe rule package, deleting rules 214 from the rule package, and/ormodifying some of the rules 214 of the rule package. Alternatively oradditionally, modifying the mobile device rules package can includecreating, deleting, and/or modifying remedial actions 216 of the rulespackage. The mobile device manager 202 can send the updated mobiledevice rule package to each of the mobile devices 120 of the users 115of that particular group.

In many cases, the updated mobile device rule package may be fairlysimilar to older mobile device rule packages that have already been sentto the users' mobile devices 120. In such cases, the mobile devicemanager 202 can be configured to send only the new and/or modifiedmobile device rules 214 and/or remedial actions 216 to each mobiledevice 120, along with instructions for deletion of those rules 214and/or actions 216 that have been deleted from the rule package, suchinstructions being carried out by the enterprise agent 320 of eachmobile device 120. In this manner, the mobile device manager 202 can beconfigured to send mobile device rule package updates to the mobiledevices 120.

In certain embodiments, the enterprise agent 320 is configured toimplement and/or execute the mobile device rules 214 on the mobiledevice 120. Accordingly, the enterprise agent 320 is preferablyconfigured to receive (e.g., via the network interface 310) mobiledevice rules 214 and/or remedial actions 216 from the mobile devicemanagement system 126 associated with the enterprise, and store thereceived rules 214 and/or remedial actions 216 in a computer-readablestorage of the mobile device 120, such as the hard drive 306 or a memorycard inserted into the memory card port 307. The enterprise agent 320can be configured to receive and store the aforementioned mobile devicerule packages and rule package updates from the mobile device managementsystem 126 and store them on the hard drive 306 or memory card. In theillustrated embodiment, the hard drive 306 stores a plurality of mobiledevice rules 214 and remedial actions 216. In some embodiments, theenterprise agent 320 is configured to separately store the mobile devicerules 214 and remedial actions 216 of the rule packages and/or rulepackage updates. In other embodiments, the mobile device rules 214 andtheir corresponding remedial actions 216 are stored together inassociation with one another. In some embodiments, a mobile device 120can receive mobile device rules 214 and/or remedial actions 216 fromsources other than the mobile device management system 126.

FIG. 9 is a high-level flowchart illustrating an embodiment of a methodin which a mobile device 120 applies mobile device rules 214 to detectsecurity-related or productivity-related problems associated with themobile device 120, and in which the mobile device 120 addresses theproblems. According to the method illustrated in FIG. 9, in step 902 theenterprise agent 320 obtains or receives state metric data valuesassociated with the mobile device 120. These state metric data valuesare preferably for state metrics represented in one or more of themobile device rules 214. The enterprise agent 320 can be configured toobtain or receive one or more state metric data values from otherhardware, software, or firmware components of the mobile device 120. Theenterprise agent 320 can be configured to proactively gather data valuesof certain state metrics, for example by issuing an API call for data.For other state metrics or operating systems, the agent 320 cansubscribe to a notification callback mechanism of the mobile device 120,so that the mobile device 120 notifies the enterprise agent 320 aboutcertain events that occur on the mobile device 120.

With continued reference to FIG. 9, in step 904 the enterprise agent 320detects one or more problems defined by the mobile device rules 214. Theenterprise agent 320 is preferably configured to programmatically detectinstances of the problems, at least in-part, by using the mobile devicerules 214 to analyze the received state metric data values. In certainembodiments, the received state metric data can be analyzed incombination with other data values (e.g., user properties, time of day,date, etc.). Further, the enterprise agent 320 can be configured torespond to a detected instance of one of the problems by executing, instep 906, one of the remedial actions 216 on the mobile device 120, inwhich the executed remedial action 216 corresponds to the problemdetected in step 904. In some cases, there may be multiple remedialactions 216 corresponding to a particular problem, and the enterpriseagent 320 may be configured to select among the available remedialactions based on various factors, such as likelihood of successfullycountering the problem (e.g., based on past results of running remedialactions), computing costs associated with executing the remedialactions, user preferences, enterprise preferences, and the like. Incertain instances, the enterprise agent 320 can execute two or moreremedial actions 216 in response to detecting a particular problem.

Some remedial actions 216 can comprise producing an alert, such as amessage delivered to the user 115 of the mobile device 120. The messagecan include text, images, audio, and/or video. The enterprise agent 320can be configured to produce the message and convey the message to theuser 115 via the user interface 304, such as displaying the message onthe screen 326 and/or playing an audible message using the speaker 328.The message can comprise information about a detected problem, and/orinstructions to the user 115 to execute an action on the mobile device120, such as activating or deactivating a feature of the device 120. Themessage can be statically defined in the remedial action 216.Alternatively, the message can be defined using variables that can bebound to actual data values when evaluating a mobile device rule 214(e.g., by the resolution of queries), for example, as taught in Qureshi'536. This can allow the enterprise agent 320 to customize the messageto the specific circumstances of the device 120. Further, any remedialaction 216 instructing the agent 320 to produce such a message canfurther include instructions for actions to be conducted by theenterprise agent 320 if the user 115 (or other person handling themobile device 120) does not execute the action instructed by themessage. For example, the remedial action 216 can cause the enterpriseagent 320 to conduct the action if the user 115 does not execute theinstructed action within a time period defined in the remedial action.

An enterprise can vary the punitiveness of the remedial action 216 to beapplied for a detected problem or violation of a mobile device rule 214based on properties of the mobile device 120 and/or its user 115. Forinstance, it may be desirable to vary the remedy based on the role 206of the user 115. In one example, an enterprise may wish to apply lessstringent remedial actions for higher level executives of an enterprise.

As noted above, some remedial actions 216 can comprise an action (otherthan generating and conveying a message to the user) executed by theenterprise agent 320 on the mobile device 120. In certain embodiments,the remedial actions 216 can comprise actions that the mobile device 120is already designed to conduct, such as activating or deactivatingcertain mobile device features, adjusting device settings, and the like.In such cases, the enterprise agent 320 can be configured to use themobile device's API's to conduct such remedial actions 216.

In some embodiments, the enterprise agent 320 includes a scriptingengine 322, and at least one of the remedial actions 216 comprises ascript that the scripting engine 322 is configured to execute on themobile device 120. The scripts can be written in a scripting languageassociated with the mobile device 120, which can be a command settargeted at controlling the device hardware, software, and/or operatingsystem. The scripting engine 322 can be configured to interpret ascript, and/or to convert the script to a bytecode or other form thatcan be interpreted relatively quickly. In some cases, the mobile devicemanagement system 126 (or another component of the enterprise system110) can include one or more script-creation tools or applications 220that assist IT personnel in the creation of the scripts.

In some embodiments, a script can have the following high-level format:

# USE CASE: [description of what the script does] import android importzenlib [decryption & authentication] [rule body]In this example, the script imports a library of code (“android”)associated with the Android™ operating system, as well as a library ofcompiled code (“zenlib”) that interprets the rule body and decryptionand authentication information. For example, the “zenlib” code can beconfigured to interpret logical, mathematical, and/or Boolean operatorssuch as “AND,” “OR,” “THEN,” “LESS THAN,” “MORE THAN,” etc.

From the various use cases described below, it will be appreciated thatit is possible to provide many different types of mobile device rules214 that cause the enterprise agent 320 to detect and guard againstvarious types of problematic events associated with the mobile device120. It is also possible to provide many different types ofcorresponding remedial actions 216 that cause the agent 320 to react tosuch problematic events by conducting various types of actions, such asrestricting network communications, enforcing password-protections,sending reports back to the enterprise system 110 (e.g., reports of datacontent stored on the mobile device 120, data usage on the device 120,applications 318 running on the mobile device 120, and many other typesof information), deleting data from the device 120, uninstallingapplications 318 from the mobile device 120, and many other actions.

The use of mobile device rules 214, remedial actions 216, and/or scriptsto be run by the scripting engine 322 can be leveraged to conductcompliance audits of mobile devices 120. In certain embodiments, anenterprise system 110 can be configured to cause the enterprise agents320 of all or just some of the mobile devices 120 enrolled with themobile device manager 202 to run one or more mobile device rules 214 atthe request of the enterprise.

For example, suppose that the enterprise learns of a new computer virusto which the enterprise's mobile devices 120 may be particularlyvulnerable. In such a case, the enterprise's IT personnel can cause themobile device manager 202 to send instructions to the enterprise agents320, for example, to run a particular mobile device rule 214 that scansfor the new virus or simply determines whether the mobile device 120 isusing the latest antivirus software updates.

In some cases, the enterprise's IT personnel can cause the mobile devicemanager 202 to send one or more “special” mobile device rules 214 to themobile devices 120. In certain instances, the special mobile devicerules 214 can be sent with instructions for the enterprise agents 320 toimmediately determine whether the mobile devices 120 comply with theserules. Also, the special mobile device rules 214 can be sent withassociated remedial actions 216, and it will be understood thatdifferent types of these special mobile device rules 214 and remedialactions 216 can be sent to different types of mobile devices 120. Themobile device manager 202 can send a special mobile device rule 214 toall of the mobile devices 120 whose assigned users 115 have particularroles 206. These special mobile device rules 214 may or may not be thesame as the mobile device rules 214 and remedial actions 216 providedwithin the customized rule packages described above.

Upon receipt of such a special mobile device rule 214 and possibly aspecial remedial action 216, or upon receipt of instructions to run amobile device rule 214 already stored on the mobile device 120, a mobiledevice's enterprise agent 320 can be configured to immediately determinewhether the mobile device 120 is in compliance with the rule 214. If themobile device 120 is not in compliance, the enterprise agent 320 can beconfigured to simply implement the special remedial action 216.

Alternatively or additionally, the agent 320 can be configured to send acompliance report to the mobile device manager 202, detailing theresults of running the special mobile device rule 214 (e.g., a reportdetailing compliance or non-compliance with the rule, and/or a degree ofcompliance). The mobile device manager 202 can be configured to usethese reports for various purposes. For example, the mobile devicemanager 202 can respond to the reports by sending, only to those mobiledevices 120 that are not in compliance with the executed mobile devicerule(s), (1) instructions for the agent 320 to run one or moreadditional mobile device rules 214 and, if the mobile device 120 is notin compliance with the additional mobile device rules 214, one or moreadditional remedial actions, or (2) additional special mobile devicerules 214 and/or special remedial actions 216. These additional mobiledevice rules 214 can check for other forms of non-compliance, based onthe assumption that a mobile device 120 that does not comply with onemobile device rule 214 is more likely to be out of compliance with othermobile device rules 214.

Example Use Cases for Device-Resident Management System

There are numerous possible “use cases” for which an enterprise may wishto use a mobile device rule 214 and an associated remedial action 216 ona mobile device 120. Examples of such use cases are now described. Itwill be understood that the following examples are not exhaustive, andthat many different types of mobile device rules 214 and associatedremedial actions 216 can be used for many different purposes. Further,skilled artisans will understand that a remedial action described belowfor a particular use case can be alternatively be executed for any othermobile device rules, problems, or use cases, as may be desired by theenterprise. Some of the use cases described below contain one or moresub-cases, also described below. Finally, some of these use casesoverlap in certain ways.

Use Case 1:

One possible use case involves a situation in which a mobile device 120is lost or stolen from its assigned user 115 (FIG. 1A). A mobile devicerule 214 can define conditions for concluding that the device is lost orstolen. The mobile device rule 214 can specify that a mobile device 120is lost or stolen, for example, when a different SIM card is installed,when a certain period of time elapses without a user login, or when themobile device is reported as lost or stolen. An associated remedialaction 216 can cause the enterprise agent 320 to remove data and/orsoftware applications 318 from the mobile device 120, such asenterprise-related applications, all applications, enterprise-relateddata, or all data. An alternative remedial action 216 can cause theagent 320 to lock the device 120 to render it unusable. These remediesare useful because the mobile device 120 may contain valuable and/orconfidential enterprise-related data that is desired to be kept frompersons not associated with the enterprise. In some implementations,then the enterprise system 110 can issue a command to the device 120 todelete the data and/or destroy an encryption key used to decrypt thedata. This command can be sent by the mobile device management system tothe mobile device 120 over a wireless carrier network 125.

Use Case 2:

This use case relates to Use Case 1. A thief can prevent a wirelesscommand, sent from the enterprise system 110, from reaching the mobiledevice 120 by removing the device's SIM card (or, depending on themobile device 120, a similar or equivalent card that securely stores,e.g., the service-subscriber key (IMSI) used to identify a subscriber onthe mobile device 120) from the SIM card port 312, which can effectivelydisable the connectivity of the mobile device 120 to the carrier network125. In such an instance, the enterprise may be prevented from deletingthe data from the device 120, and the thief may be able to access thedata. This problem can be addressed by providing a mobile device rule214 that the enterprise agent 320 uses to detect the disengagement ofthe SIM card from the SIM card port 312 of the device 120. In this usecase, the agent 320 can execute a remedial action 216 that comprisesproducing a message delivered via the user interface 304, the messageinstructing the person using the device 120 (e.g., the user 115 or athief) to reengage the SIM card with the SIM card port 312. For example,the message can instruct the person to reengage the SIM card with theSIM card port 312 within a specified time period (e.g., five minutes),or all of the data on the mobile device 120 (or just theenterprise-related data) will be deleted. In that case, the agent 320can be further configured to delete the data if the SIM card is notreengaged within the specified time period. Alternatively oradditionally, an encryption key used to decrypt the enterprise data canbe invalidated or deleted as a remedial action associated with problemsrelated to the SIM card disengagement.

Use Case 3:

The enterprise agent 320 can use a mobile device rule 214 to detect aproblem defined as the disablement of password-protection for the mobiledevice 120. A corresponding remedial action 216 can cause the agent 320to produce a message on the user interface 304, the message instructingthe user 115 to activate password-protection on the device 120, perhapswithin a specified time period. The remedial action 216 can furtherinclude instructions for the agent 320 in the event thatpassword-protection is not activated, such as disabling the mobiledevice 120, deleting enterprise-related data from the device 120,decommissioning the device 120 (e.g., revoking its certificate and/orterminating its enrollment with the mobile device manager 202), and thelike. It will be understood that deleting data from the mobile device120 (in the context of this use case or any other) can includepermanently deleting the data or, alternatively, merely deletingpointers to the data or deleting and/or invalidating data decryptionkeys. In a related example, a mobile device rule 214 can require theuser 115 to change the password periodically, such as every 90 days.

Use Case 4:

The enterprise agent 320 can use a mobile device rule 214 to detect aproblem defined as the mobile device 120 being located outside of anauthorized geographical zone, or the device being located within anunauthorized geographical zone. A geographical zone can be specified ina variety of different ways, such as by inputting a location (e.g., on amap, or longitude/latitude values), a shape and size of the geographicalzone, and a positional relationship between the inputted location andthe shape of the zone. For example, a circular zone centered about theinputted location can be defined by specifying a radius of thegeographic circle. A mobile device rule 214 can also include time ranges(hours, days, etc.) within which the restriction applies. The agent 320can detect the location of the device 120 using the GPS chip 316.

A corresponding remedial action 216 can cause the agent 320 to produce amessage delivered via the user interface 304, the message instructingthe user 115 to return the device 120 to the authorized geographicalzone or leave the unauthorized zone, for example, within a specifiedtime period. The remedial action 216 can further include instructionsfor the agent 320 in the event that the device 120 is moved asinstructed, such as disabling the mobile device 120, disabling featuresor software applications (e.g., the camera, Bluetooth connectivity,Wi-Fi connectivity, etc.) of the device 120, deleting enterprise-relateddata from the device 120, and the like. A remedial action 216 can simplysend a communication (e.g., SMS text, email) to appropriate authoritiesof the enterprise, alerting them to the mobile device's location.

Use Case 5:

As described above in Use Case 4, mobile device rules 214 caneffectively lead to activation or deactivation of mobile device featuresbased on a location of the mobile device 120 (e.g., as determined byusing the GPS chip 316) and/or temporal data. The mobile device featurein question can be the user interface 304 (keyboard, touchscreen, etc.),network interface 310, camera 314, microphone 330, USB connection, etc.

Take for example the camera 314. The enterprise agent 320 can use amobile device rule 214 to detect a problem defined as the mobile device120 being located within premises of the enterprise with the camera 314being available for use. An enterprise may wish to prevent use of thecamera 314 while the mobile device 120 is within the enterprisepremises, to prevent the camera from capturing any sensitive orconfidential information, images, or video from within the premises. Asused herein, “enterprise premises” can include any buildings,facilities, factories, campuses, design houses, or other structures orareas owned, used, or operated by the enterprise. In one embodiment, aremedial action 216 corresponding to this problem can cause the agent320 to deactivate or disable the camera 314 without the user's consent.In another embodiment, a remedial action 216 corresponding to thisproblem can cause the agent 320 to produce a message delivered via theuser interface 304, the message instructing the user 115 to deactivateor disable the camera 314, perhaps within a specified time period. Theremedial action 216 can further include instructions for the agent 320in the event that the user 115 does not deactivate or disable the camera314, such as deactivating or disabling the camera 314 without the user'sconsent. Preferably, after the remedial action 216 has been executed(and the camera 314 has been disabled), the agent 320 is configured todetect when the mobile device 120 has left the enterprise premises. Atthat point, the agent 320 can be configured to either reactivate thecamera 314 without the user's consent, or produce a message deliveredvia the user interface 304, informing the user 115 that the user isauthorized to reactivate the camera 314.

Use Case 6:

Related to Use Case 5, another example of a mobile device “feature” thatcan be regulated based on mobile device location is a softwareapplication 318, such as the device's web browser. For example, theenterprise agent 320 can use a mobile device rule 214 to detect aproblem defined as the mobile device 120 being located within premisesof the enterprise with the device's web browser being available for use.Corresponding remedial actions 216 can cause the agent 320 to instructthe user to disable the web browser (by producing a message on the userinterface 304), or to simply disable the web browser without the user'sconsent. Then, when the mobile device 120 subsequently leaves theenterprise premises, the agent 320 can be configured to detect this andeither inform the user that the web browser can be used or simplyre-enable the web browser without the user's knowledge or consent. Itwill be appreciated that other software applications 318, aside from theweb browser, can be regulated similarly.

Use Case 7:

Related to Use Cases 4 and 5, upon detecting that the mobile device 120has entered a defined geographical area (e.g., the enterprise premises),the enterprise agent 320 can be configured to execute a remedial action216 that causes the agent 320 to require the user 115 to enter apassword into the device 120 in order to use certain device features,such as the camera 314 and/or web browser. Such a remedial action may bemore appropriate for users 115 whose roles 206 require the users to haveaccess to such features within the geographical area. Once the mobiledevice 120 leaves the defined area, the agent 320 can be configured tono longer require the password for the user 115 to use such mobiledevice features.

Use Case 8:

A mobile device rule 214 can cause the enterprise agent 320 to disablecertain mobile device features (e.g., camera, microphone) based ontemporal information (possibly without considering geographical data),such as the time of the day, the day of the week, a date range of thecalendar, etc.

Use Case 9:

The mobile device 120 can comprise a credit card scanner for use withina store or other retail establishment. When an agent 320 of the scannerdetects that the scanner has physically left the store, the agent canexecute a remedial action 216 that instructs a user 115 of the scannerto return the scanner to the store, perhaps within a specified timeperiod. The remedial action 216 can further include instructions todelete scanned credit card data from the scanner if the scanner is notreturned to the store.

Use Case 10:

Another mobile device feature that can be regulated is the device'snetwork connection capability, such as the network interface 310. Theenterprise agent 320 can use a mobile device rule 214 to detect aproblem defined as the mobile device's use of the network connectioncapability to connect or attempt to connect to a communication networkthat is unsecured or blacklisted by the enterprise (e.g., a false baseWi-Fi station). For example, the user 115 may attempt to connect to anunsecured Wi-Fi network or blacklisted cellular service towers, whichmay expose the mobile device 120 to a security threat. A remedial action216 can prevent the device 120 from accessing the restricted network(s).

In another embodiment, a remedial action 216 corresponding to thisproblem can cause the agent 320 to terminate or prevent the mobiledevice's connection to the unsecured network, without the user'sconsent. In another embodiment, the remedial action 216 can cause theagent 320 to deactivate the mobile device's network connectioncapability (e.g., by shutting down the network interface 310), withoutthe user's consent. Such an action may leave one type of networkcommunication capability (e.g., cellular networks, such as 3G or 4Gnetworks) available, while only terminating a network communicationcapability (e.g., Wi-Fi) associated with the connection to the unsecurednetwork. In another embodiment, the remedial action 216 can cause theagent 320 to produce an audio alert to the user 115 or a messagedelivered via the user interface 304, the message instructing the user115 of the device 120 to terminate the connection to the unsecurednetwork, perhaps within a specified time period. In yet anotherembodiment, the remedial action 216 can cause the agent 320 to produce amessage delivered via the user interface 304, the message instructingthe user 115 of the device 120 to deactivate the device's networkconnection capability, perhaps within a specified time period. Inembodiments in which the agent 320 produces a message delivered via theuser interface 304, the remedial action 216 can further includeinstructions for the agent 320 in the event that the user 115 does notterminate the connection or deactivate the network connectioncapability, such as taking one of such actions without the user'sconsent. In still other embodiments, a remedial action 216 can cause theagent 320 to lock the mobile device 120 to render it unusable, perhapsuntil the device disconnects from the unsecured or blacklistedcommunication network.

Use Case 11:

An enterprise may wish to regulate which software applications 318 areauthorized for installation on a mobile device 120. For example, certaintypes of software applications 318 can negatively impact a user'sproductivity (e.g., by distracting the user from his or her duties),while other applications 318 can introduce a security threat (e.g.,file-sharing applications that may allow other devices to copyenterprise data stored on the mobile device 120; or a rogue applicationthat has malware or has been determined to collect device data and sendthe data to a rogue server). The enterprise agent 320 can use a mobiledevice rule 214 to detect a problem defined as the mobile device 120having installed a software application 318 that the enterprise hasblacklisted (i.e., forbidden for installation) or at least notwhite-listed (expressly permitted for installation). The agent 320 canbe configured to use device-specific API's to determine whichapplications are installed on the mobile device 120.

Since different mobile device platforms vary as to the ability of anenterprise system 110 to uninstall the unauthorized application 318without the user's consent, several different remedial actions 216 arepossible. In one embodiment, a corresponding remedial action 216 cancause the agent 320 to producing a message on the user interface 304,the message instructing the user 115 to uninstall the unauthorizedsoftware application 318 from the mobile device 120, perhaps within aspecified time period. The remedial action 216 can further includeinstructions for the agent 320 in the event that the user 115 does notuninstall the unauthorized application 318, such as disabling the mobiledevice 120, uninstalling the unauthorized application 318 (e.g., bycausing the scripting engine 322 to run a script or plan that uninstallsthe application), preventing the unauthorized application 318 fromstarting or running (e.g., by causing the scripting engine 322 to run ascript that terminates one or more processes associated with theunauthorized application 318), deleting enterprise-related data from thedevice 120 (which can also be achieved by the scripting engine 322running an appropriate script), sending an alert message (SMS text,email, etc.) to enterprise authorities about the installation of theblacklisted software application, and the like. In another embodiment, acorresponding remedial action 216 can cause the agent 320 to uninstallthe unauthorized application 318 from the mobile device 120 without theuser's consent. For mobile device platforms that do not permit anenterprise system 110 to uninstall software applications 318 from amobile device 120 without the user's consent, the enterprise may opt tocause the agent 320 to use the scripting engine 322 to run a script thatterminates one or more processes associated with the unauthorizedapplication 318, thereby preventing it from running on the mobiledevice.

An enterprise can vary the punitiveness of the remedial action based onthe role 206 of the user 115 assigned to the mobile device 120 that isrunning an unauthorized software application 318. For example, considera corporate enterprise having some users 115 with roles 206corresponding to high level executives, other users 115 having roles 206corresponding to mid-level managers, and other users having roles 206that correspond to lower level employees. For a high level executivewhose mobile device 120 has an unauthorized application 318, the agent320 can implement a remedial action 216 that simply instructs the user115 to uninstall the application 318. For a mid-level manager whosemobile device 120 has an unauthorized application 318, the agent 320 canimplement a remedial action 216 that causes the scripting engine 322 toterminate one or more processes associated with the unauthorizedapplication 318, thereby preventing it from running on the mobile device120. Moreover, the agent 320 might run such a script only under certainconditions (e.g., when the mobile device is on enterprise premisesduring normal working hours). Finally, for a lower level employee whosemobile device 120 has an unauthorized application 318, the agent 320 canimplement a remedial action 216 that uninstalls the application 318without the user's consent. Skilled artisans will appreciate that anenterprise can vary its remedial actions in many different ways based ondifferent sets of criteria, and that this is just one example.

The enterprise may allow certain software applications 318 to beinstalled on a mobile device 120, but only under certain conditions,such as conditions relating to user roles 206 and/or mobile deviceproperties 208. An enterprise may allow users 115 with particular roles206 to install such applications 318 on their devices 120, whiledisallowing other users 115 from doing so. An enterprise may allowmobile devices 120 having certain device-types to install particularsoftware applications 318, while disallowing the same for differentdevice types. Prohibitions on the installation of particular softwareapplications 318 on the mobile devices 120 can be regulated in a veryflexible and customizable way, by defining appropriate mobile devicerules 214.

Use Case 12:

Related to Use Case 11, a mobile device rule 214 can define a problem asan attempt to run (as opposed to install) a software application 318 inviolation of defined restrictions. Such restrictions can be temporal(the application is allowed to run only during certain times and/ordays), geographical (the application is allowed to run only when themobile device 120 is in one or more defined geographical zones),password-dependent (the application is allowed to run only if the userprovides a correct password associated with the application), othertypes of restrictions or conditions, or combinations thereof.

In one embodiment, the rule 214 includes a list of restricted orblacklisted applications 318, and possibly even a list of unrestrictedor white-listed applications 318. The enterprise agent 320 can use anapplication monitor service 334 (which can be part of the agent 320itself, or alternatively another part of the mobile device 120, asshown) to detect which applications 318 or processes are running. Forexample, the Android™ operating system provides a mechanism forcollecting and viewing system output, whereby logs from variousapplications and portions of the system are collected in a series ofcircular buffers, which then can be viewed and filtered by the “logcat”command. The “logcat” command can be used from an ADB (Android DebugBridge) shell to read the log messages. Alternatively, Android's DalvikDebug Monitor Server (DDMS) can automatically report “logcat”information via connection to ADB. Hence, in a mobile device 120 runningthe Android™ operating system, the enterprise agent 320 can beconfigured to “listen” to certain “logcat” information and detect theinvocation of mobile device applications of interest. It will beappreciated that other mobile device operating systems providealternative systems and methods for detecting the invocation of mobiledevice applications.

When the agent 320 determines that an application 318 is invoked, theagent 320 determines if the application is blacklisted (orwhite-listed). If the application 318 is white-listed or at least notblacklisted, the agent 320 allows the application to run. If theapplication 318 is blacklisted (or perhaps, more strictly, notwhite-listed), the agent 320 can use the rule 214 to determine thedefined restriction(s) for the application and whether the restrictionsapply. For example, if a restriction is temporal, the agent 320 candetermine if allowing the application to run currently would violate thetemporal restriction. If a restriction is geographical, the agent 320can determine if the device 120 is in a restricted geographical zone. Ifa restriction is password-dependent, the agent 320 can invoke a passwordinput activity (which can be part of a remedial action 216) that promptsthe user 115 for a password associated with the application 318. If anyof the restrictions is violated (e.g., unauthorized time or day, device120 outside of authorized geographical zone, incorrect passwordprovided, other restrictions, combinations of these restrictions, etc.as defined by the rule 214), then the agent 320 can prevent theapplication 318 from running by, e.g., using the scripting engine 322 torun a script that kills the application.

In certain embodiments, the agent 320 is configured to terminate arunning application 318 if the use restriction is violated after theapplication 318 was invoked. In other words, if the use conditions aremet at the invocation of the application 318, but then subsequentlyviolated during the use of the application 318, the agent 320 can beconfigured to kill the application 318. For example, suppose that theapplicable mobile device rule 318 allows for an application 318 to beused only during a defined time window, and that the application 318 isinvoked during the allowed time window but then remains in use at theexpiration of the time window. In this case, the rule 318 may direct theagent 320 to terminate the application 318. In another example, supposethat the mobile device rule 318 allows for an application 318 to be usedonly when the mobile device 120 is in a defined geographical zone, andthat the application 318 is invoked when this condition is met. Supposefurther that the user 115 takes the device 120 outside of the definedgeographical zone during the use of the application 318. In this case,the rule 318 may direct the agent 320 to terminate the application 318as soon as the device 120 leaves the defined geographical zone.

Use Case 13:

A mobile device rule 214 can also define a problem as the removal of arequired software application 318 from the mobile device 120. A user 115might accidentally or intentionally uninstall the application. Anassociated remedial action 216 can cause the enterprise agent 320 tonotify the user 115 of the removal of the application 318, and that itsreinstallation is required.

Use Case 14:

Related to Use Case 13, a mobile device rule 214 can also be used by theenterprise agent 320 to detect when a required software application 318is installed but not running on the mobile device 120. An associatedremedial action 216 can cause the enterprise agent 320 to notify theuser 115 and instruct the user to run the required application.

Use Case 15:

The enterprise agent 320 can use a mobile device rule 214 to detect aproblem defined as the mobile device 120 storing enterprise-related datafor which the device is not authorized to store. In one embodiment, acorresponding remedial action 216 can cause the agent 320 to produce amessage on the user interface 304, the message instructing the user 115to delete the unauthorized enterprise-related data from the mobiledevice 120, perhaps within a specified time period. The remedial action216 can further include instructions for the agent 320 in the event thatthe user does not delete the data, such as deleting the data from thedevice 120 without the user's consent, disabling the device 120, and thelike. In another embodiment, a corresponding remedial action 216 cancause the agent 320 to delete the enterprise-related data from themobile device 120 without the user's consent.

Use Case 16:

A mobile device rule 214 can be used by an enterprise agent 320 todetect when the mobile device 120 is in a roaming network, and anassociated remedial action 216 can cause the agent 320 to alert the user115 of the same. A remedial action 216 can also cause the agent 320 toconnect the device 120 to available Wi-Fi networks while the device isroaming.

Use Case 17:

A remedial action 216 can cause the agent 320 to begin recording themobile device's location for a certain time period, such as when thedevice 120 is roaming. The agent 320 can report this information back tothe enterprise system 110.

Use Case 18:

A mobile device rule 214 can cause the enterprise agent 320 to activateor make applicable new mobile device rules 214 if a mobile device 120goes a certain time period (e.g., a few hours or days) withoutconnecting to the enterprise system 110.

Use Case 19:

A mobile device rule 214 can cause the enterprise agent 320 to togglethe mobile device 120 from its airplane mode if a Wi-Fi or other networkbecomes available to the device.

Use Case 20:

If the mobile device 120 uses a VPN, a mobile device rule 214 can causethe enterprise agent 320 to disable connectivity to networking hotspots.

Use Case 21:

Related to Use Case 11, a mobile device rule 214 can cause theenterprise agent 320 to detect when a user 115 or mobile device 120attempts to use a software application 318 (e.g., Facebook™, Dropbox™,Gmail™, Hotmail™, etc.) to send enterprise data that is sensitive orconfidential. An associated remedial action 216 can cause the agent 320to kill the software application 318, uninstall it, or other actionpreventing the data transfer.

Use Case 22:

Related to Use Case 21, a mobile device rule 214 can cause theenterprise agent 320 to detect when a user 115 or mobile device 120 isconnected to an enterprise resource 130 and accessing sensitive orconfidential data. In certain circumstances, a remedial action 216 cancause the agent 320 to prevent the device 120 from downloading, copying,and/or sending the data to anyone else.

Use Case 23:

A mobile device rule 214 can cause the enterprise agent 320 to detectwhen the number of SMS messages in a mobile device inbox exceeds adefined amount, and an associated remedial action 216 can cause theagent 320 to alert an IT administrator of the same.

Use Case 24:

A mobile device rule 214 can cause the enterprise agent 320 to monitorthe mobile device's message inbox and detect inbound SMS messages fromblacklisted telephone numbers or messages that include enterpriseinformation that is confidential or sensitive. An associated remedialaction 216 can cause the agent 320 to alert an IT administrator of thesame, disable the device 120, delete the sensitive messages, disable thedevice's messaging capability, and the like.

Use Case 25:

Related to Use Case 24, a mobile device rule 214 can cause theenterprise agent 320 to monitor the mobile device's outbound messagequeue and detect outbound SMS messages to blacklisted telephone numbersor messages that include enterprise information that is confidential orsensitive. An associated remedial action 216 can cause the agent 320 toalert an IT administrator of the same, disable the device 120, deletethe sensitive messages, disable the device's messaging capability, andthe like.

Use Case 26:

A mobile device rule 214 can be used by the enterprise agent 320 todetect when a new or unauthorized SIM card is inserted into the mobiledevice 120. A remedial action 216 can cause the agent 320 to send acommunication to enterprise authorities of the new SIM card, instructthe user 115 to remove the SIM card, etc.

Use Case 27:

A mobile device rule 214 can be used by the enterprise agent 320 todetect a pattern or signature of suspicious behavior by a user 115 of amobile device 120. For example, the rule 214 can define a probleminvolving some logical combination of user behaviors, such asfrequenting of blacklisted or suspicious websites, use of blacklisted orsuspicious IP addresses, and/or the installation or running ofblacklisted mobile device applications. If the agent 320 determines thatthe behaviors of a user 115 have violated the rule 214, the agent 320can enforce a remedial action 216 such as preventing the user 115 fromlogging into the enterprise system 110, deleting all enterprise datafrom the device 120, etc.

Some mobile device operating systems do not permit an application (suchas the enterprise agent 320) to see what other applications on thedevice 120 are doing. This is sometimes referred to as the “sandboxing”of applications on the device 120. Preferably, the mobile device'sapplications whose usage is necessary to implicate the mobile devicerule 214 that defines the user's suspicious behavior pattern areprogrammed to record these behaviors into a secure document container336, which is described more fully below. By doing so, the agent 320 canbe configured to read those suspicious behaviors by accessing thecontainer 336.

Use Case 28:

The enterprise agent 320 can use a mobile device rule 214 to detect aproblem defined as the mobile device's receipt of an unauthorized orsuspicious network connection. Generally, a mobile device 120 receivesmuch fewer incoming network connections than it generates outgoingconnections, because users 115 of mobile devices 120 more typicallyconnect outwardly (e.g., when users 115 browse web sites, search onlinestores, etc.). Hence, the incoming network connection may be due to anattempt by a third party to hack into the mobile device 120 fornefarious reasons, such as to steal enterprise information, disable thedevice 120, and the like. Of course, there are some instances whenincoming connections are authorized or benign, such as when a mobiledevice 120 receives email. However, email is typically received througha well known port of the device 120, which the agent can be configuredto determine. Thus, the enterprise agent 320 can be configured to reactto the receipt of an incoming network connection by inspectingparameters of the connection (e.g., the mobile device port for theconnection). If the inspection leads to a determination that theincoming connection is authorized, then the agent 320 can be configuredto allow the incoming connection. On the other hand, if the inspectionleads to a determination that the incoming connection is not authorizedor is suspicious, the agent 320 can be configured to execute acorresponding remedial action 216 that denies, prevents, or terminatesthe unauthorized or suspicious network connection. This functionalitymay be referred to as a “mobile firewall.”

Cloud-Based Enterprises

In some embodiments, the enterprise system 110 is provided substantiallyor entirely within the cloud 156. Any needed mobile device managementsystems 126, secure mobile gateways 128, and enterprise resources 130are deployed substantially or entirely within the cloud 156 in suchcloud-based enterprise systems 110. A meta-application system can bedeployed within the cloud 156 and/or the mobile devices 120 to helpmanage the devices 120. Such embodiments may or may not include anon-cloud enterprise system, or meta-application components deployedwithin a non-cloud enterprise system.

For example, an enterprise (e.g., a social networking enterprise) canprovide mobile devices 120 (e.g., iPads™) to a group of people, withmeta-application components being deployed within the devices 120, andwith meta-application components and any needed systems 126, gateways128, and resources 130 being deployed solely within the cloud 156. Incertain embodiments, an enterprise can use policies (e.g., accesspolicies 218) stored within the cloud 156 and/or the devices 120 to helpmanage or restrict mobile device communications or access to cloud-basedenterprise resources. The meta-application can also be used tomonitor/measure/remediate the cloud or cloud-based services used by theenterprise.

Improved Communication Experience Between Enterprise and Mobile Devices

For many carrier networks 125, there are typically some geographicalareas in which wireless service is weak or unavailable. This can occurif, for example, the wireless carrier has relatively few or no cellularcommunication nodes or towers in such areas. With reference to FIG. 1A,the network connection 142 between the mobile device 120 and the carriernetwork 125 is often unreliable, particularly when the mobile device 120is located within such areas with weak or nonexistent wireless service.Accordingly, the network connection 142, 144 between the mobile device120 and the enterprise system 110 is often unreliable.

From the perspective of a mobile device 120, the loss of the networkconnection 142 can be inconvenient when a user 115 inputs data to besent to an enterprise resource 130 of the enterprise system 110. Forexample, a software application 318 may be configured to open a networkconnection 142, 144 to the mobile device management system 126 or othernetwork component, and to request data input from the user, typicallyvia the user interface 304 of the mobile device 120. For instance, anapplication 318 can be configured to provide one or more data fields onthe display 326, the data fields configured to receive the user's dataas text entry via the keypad 324. The application 318 can be furtherconfigured to send the data to the enterprise resource 130 once the datais input by the user 115. However, if the network connection 142 is lostbefore the data is sent to the mobile device management system 126, theapplication 318 might discard the data that the user 115 input. Forexample, the application 318 might discard the data upon receipt of aTCP socket error reporting the lost connection 142. Or, the application318 may attempt to send the data to the mobile device management system126 and wait for a reply. Since the connection 142 is lost, theapplication 318 would eventually time-out after receiving no reply for acertain time period. In either case, the application 318 might discardthe data that the user 115 provided, without the data being sent to themobile device management system 126. Ultimately, this makes the user 115re-enter the data once the connection 142 is regained.

A somewhat similar dynamic may occur from the perspective of anenterprise resource 130 and tunneling mediator 224 (or other tunnelingmediator). In particular, the mobile device's network connection 142 canbecome lost when the tunneling mediator 224 attempts to send data to amobile device 120 via an application tunnel.

In some embodiments, upon the creation of an application tunnel betweena software application 318 of a mobile device 120 and an enterpriseresource 130 as described above, the device's enterprise agent 320and/or the enterprise's tunneling mediator 224 (or other tunnelingmediator) can be configured to enhance communications between the mobiledevice 120 and the enterprise resource 130, by caching data. Forexample, the agent 320 can cache data on the mobile device 120, and thetunneling mediator 224 can cache data within the mobile devicemanagement system 126.

FIG. 10 is a flowchart illustrating an embodiment of a method in which amobile device 120 can cache data input by a user 115 in response to aloss of a network connection 142 to an enterprise computer system 110.The method is described in the context of FIG. 1A, but could also beused in other computing systems, such as any of the systems of FIGS.1B-1E. The method begins in step 1002, in which a software application318 on the mobile device 120 prompts the user 115 for data. At thispoint, an application tunnel may have already been formed between theapplication 318 and an enterprise resource 130 via a tunneling mediator.In step 1004, the application 318 receives the data, for example, viathe user interface 304 of the mobile device 120. In step 1006, theapplication 318 generates a request to send the received data to anenterprise resource 130 of the enterprise system 110. In step 1008, theenterprise agent 320 receives or intercepts the application's request tosend the received data to the enterprise resource 130. In decision step1010, the agent 320 determines the availability of the networkconnection 142, 144 between the mobile device 120 and the tunnelingmediator 224. If the network connection 142, 144 is available, then, instep 1012, the agent 320 begins sending the data to the tunnelingmediator via the connection 142, 144. For example, the agent 320 canopen up a TCP socket to the tunneling mediator server. If the agent isable to send all of the data received from the user 115, the application318 may take no further action relate to the data previously receivedfrom the user at step 1004. In some embodiments, the method may returnto step 1004 if the user 115 is still inputting new data to theapplication 318.

If the network connection 142, 144 is lost and unavailable, then, instep 1016, the agent 320 can prevent the software application 318 fromdetecting the loss of the network connection 142, 144. For example, theagent 320 can prevent the application 318 from detecting a TCP socketerror caused by the loss of the connection 142, 144. Then, in step 1018,the agent 320 caches at least a portion (and preferably all) of thereceived data that has not been sent from the mobile device 120 to thetunneling mediator 224. The data can be cached in any suitablemachine-readable memory device, such as the random access memory 308,the hard drive 306, flash memory, or a memory card engaged with thememory card port 307 of the mobile device 120. Then, in decision step1020, the agent 320 determines whether the network connection 142, 144to the tunneling mediator 224 has been regained. The determination indecision step 1020 can involve the agent 320 receiving a notificationfrom a notification service to which the agent has subscribed. If thenetwork connection 142, 144 to the tunneling mediator 224 has not beenregained, the method can wait for a time period and then return todecision step 1020. Once the network connection 142, 144 is regained,the agent 320 sends the cached data to the tunneling mediator 224 viathe regained network connection 142, 144.

In the illustrated embodiment, the enterprise agent 320 cachesuser-provided data (step 1018) only after the agent 320 determines thatthe connection to the tunneling mediator 224 has been lost (step 1010).In other embodiments, the agent 320 can be configured to cacheuser-provided data before determining whether the connection to thetunneling mediator 224 is lost or available. For instance, the agent 320can cache the data in response to receiving the data from the user atstep 1004. In such embodiments, the cached data can be erased after thedata has been sent to the tunneling mediator 224.

It will be appreciated that the software application 318 may conduct aprocess in which the user inputs data in several successive stages,wherein the application 318 attempts to send the received data aftereach stage. If the network connection 142, 144 is lost before the finaldata input stage, and the application 318 receives additional data afterthe connection 142, 144 is lost, then the enterprise agent 320 can beconfigured to cache at least a portion (and preferably all) of theadditional data. In that case, the agent 320 can respond to a regainingof the network connection 142, 144 by sending the cached additional datato the tunneling mediator via the regained network connection 142, 144.

As noted above, in step 1016 the enterprise agent 320 can prevent thesoftware application 318 from detecting the loss of the networkconnection 142, 144. From the perspective of the software application318, the connection 142, 144 is available in such circumstances. As faras the application 318 is concerned, it has an IP address and a serverport with which to communicate. In this way, the application 318 can begiven the impression that it is communicating with the enterpriseresource 130, when in reality it is either communicating only with theagent 320 (when the connection 142, 144 is lost) or with the tunnelingmediator 224 via the agent 320 (when the connection 142, 144 isavailable). When the connection 142, 144 is lost, the agent 320 can givethe application 318 the impression that the enterprise resource 130 isstill in the process of reading and responding to the request, therebypreventing the application 318 from timing out.

The mobile device user's experience can be similar to that of theapplication 318. The user's experience is dependent on the application318. So, if the agent 320 keeps the application 318 unaware of the lostnetwork connection 142, 144, the user may also remain unaware of it.This method can prevent, for example, the aforementioned problem of theuser having to reenter the data into the application 318 when theconnection 142, 144 is lost.

In some cases, particularly when a mobile device 120 is downloading alarge amount of data from the enterprise system 110, it may be useful torespond to a lost network connection by caching data packets within theenterprise system 110. FIG. 11 is a flowchart illustrating an embodimentof a method in which an enterprise computer system 110 caches data to besent to a mobile device 120 when a network connection 142, 144 to themobile device 120 is lost. The method is described in the context of anenterprise resource 130 sending data to the mobile device 120. While themethod is described in the context of FIG. 1A, it could be used in othercomputing systems, such as any of the systems of FIGS. 1B-1E. The methodbegins in step 1102, wherein an application tunnel is establishedbetween a mobile device application 318 and an enterprise resource 130,via the tunneling mediator 224, for example, as described above. Forinstance, the application tunnel may be established in response to anaccess request generated by a software application 318 on the mobiledevice 120. In step 1104, the tunneling mediator 224 receives one ormore data packets from the enterprise resource 130. In decision step1106, the tunneling mediator 224 determines whether the networkconnection 142, 144 between the tunneling mediator 224 and the mobiledevice 120 is available. If the network connection 142, 144 isavailable, then, in step 1108, the tunneling mediator 224 sends the datapackets to the mobile device 120 via the network connection 142, 144. Onthe other hand, if the network connection 142, 144 is not available,then, in step 1110, the tunneling mediator 224 caches the one or morereceived data packets in a computer-readable storage, such as a storageof the mobile device management system 126. In step 1110, the tunnelingmediator 224 can be configured to send to the enterprise resource 130,one or more acknowledgements of receipt of the data, on behalf of themobile device 120, if the resource 130 expects such acknowledgement(s)from the device 120. After either of steps 1108 and 1110, the tunnelingmediator 224 determines, in decision step 1112, whether the tunnelingmediator 224 is receiving additional data packets from the enterpriseresource 130. If so, then the method returns to decision step 1106. Ifnot, then the method can end in step 1114.

In the illustrated embodiment, the tunneling mediator 224 caches data(step 1110) only after the mediator 224 determines that the connectionto the mobile device 120 has been lost (step 1106). In otherembodiments, the tunneling mediator 224 can be configured to cache thedata before determining whether the connection to the mobile device 120is lost or available. For instance, the tunneling mediator 224 can cachethe data responsive to receipt of the data from the enterprise resource130. In such embodiments, the cached data can be erased after the datahas been sent to the mobile device 120.

As noted above, during the method illustrated in FIG. 10, the enterpriseagent 320 on the mobile device 120 preferably gives the softwareapplication 318 (which may be the intended recipient of the data beingsent by the enterprise resource 130) an impression that the networkconnection 142, 144 has not been lost, using the methods describedabove. Similarly, the tunneling mediator (e.g., the mediator 224) can beconfigured to give the enterprise resource 130 an impression that thenetwork connection 142, 144 has not been lost, for example, inaccordance with the method illustrated in FIG. 11.

In some embodiments, the tunneling mediator (e.g., the mediator 224)and/or the enterprise agent 320 is configured to compress datatransmitted through the application tunnel. The tunneling mediator canbe configured to compress data received from the enterprise resource 130(or another resource outside the enterprise system 110) through theresource network connection 152, and to send the compressed data to themobile device 120 through the network connection 142, 144. Upon receiptof the compressed data, the enterprise agent 320 can be configured todecompress the data before it is provided to a software application 318that is the intended recipient of the data. Thus, the application 318need not be capable of decompressing the data.

Similarly, the mobile device's enterprise agent 320 can be configured tocompress data intercepted or received from a software application 318,and to send the compressed data to the tunneling mediator through thenetwork connection 142, 144. Upon receipt of the compressed data, thetunneling mediator can be configured to decompress the data before it isprovided to an enterprise resource 130 (or another resource outside theenterprise network 110) that is the intended recipient of the data.Thus, the enterprise resource 130 need not be capable of decompressingthe data.

This compression functionality can be useful when the mobile device 120is sending or receiving large data files, or when the mobile device 120is in an area in which the network connection 142, 144 has lowbandwidth. In certain embodiments, data is compressed by about 20-95%.The extent of the data compression can depend on the data type, theavailable bandwidth of the network connections 142, 144, and 152, aswell as other factors. Moreover, both the application 318 and the user115 of the mobile device 120 can remain unaware of the compression anddecompression of the data.

In some embodiments, an application tunnel can be used by the enterprisesystem 110 for error correction (e.g., parity checks), resending of lostdata packets, etc. The tunneling mediator 224 can be used for loadbalancing or thread safety/synchronization of a thread unsafe serverapplication.

“Remote Control” of Mobile Devices

In some embodiments, a “remote control” system and methodology can beprovided to allow an enterprise's mobile devices 120 to be diagnosed andcontrolled by one or more helpdesk operators, administrators or otherpersons (collectively referred to herein as “controllers”) at computers(“controller computers”) that are remotely located with respect to themobile devices 120. Such systems and methods are now described.

With reference to FIGS. 2 and 12, the mobile device management system126 can be configured to facilitate a “remote control session” between amobile device 120 and a controller computer 1200 having installedthereon a remote control module 1202. The controller computer 1200 isoperated by a user referred to herein as a controller 1204 and may belocated either within or outside of the enterprise computer system 110(FIG. 1A). In this context, the tunneling mediator 224 can help form anapplication tunnel between the controller computer 1200 and theenterprise agent 320 (FIG. 3) of the mobile device 120.

With reference to FIG. 12, the remote control module 1202 is preferablyconfigured to initiate a network connection (e.g., over the Internet) toa server associated with the tunneling mediator 224 (e.g., a server onwhich the tunnel definitions 228 are stored, or a proxy server). In someembodiments, this connection is via an application tunnel, such as thosedescribed above. It will be appreciated that the enterprise may havemultiple mobile device management systems 126. Hence, the remote controlmodule 1202 can allow the controller 1204 to specify one or moretunneling mediators 224 with which to connect.

A user 115 of a mobile device 120 may encounter technical difficultieswith the user's mobile device 120, and may wish to seek help from ahelpdesk service. A helpdesk service can be operated exclusively by orfor the enterprise, or alternatively for multiple enterprises. In someembodiments, the user 115 can request a remote control session with acontroller computer 1200 by contacting the helpdesk service (e.g., by aphone call, email, text message, and the like). In such embodiments, acontroller 1204 associated with the helpdesk service can then cause aremote control module 1202 of a controller computer 1200 to send to theuser's mobile device 120 a request for a remote control session betweenthe controller computer 1200 and the mobile device 120. In someembodiments, the enterprise agent 320 of a mobile device 120 allows theuser 115 to request or initiate a remote control session with thecontroller computer 1200. In some embodiments, a remote control sessioncan be initiated by a controller 1204 without first being requested bythe user 115.

FIG. 13 is a flowchart illustrating an embodiment of a method in which acontroller computer 1200 (FIG. 12) participates in a remote controlsession with a mobile device 120. The method begins at a point at whichthe remote control module 1202 has connected to a server associated withthe tunneling mediator 224 (or another mediator of remote controlsessions with mobile devices 120).

In step 1302, the remote control module 1202 provides, for thecontroller 1204, identifications of one or more mobile devices 120 thatare available for a remote control session. This may be achieved by theremote control module 1202 sending a request to the mobile devicemanagement system 126 for such identifications, and the mobile devicemanager 202 responding by looking up the information in the mobiledevice information 204 and sending the requested information to thecontroller computer 1200. The provided identifications can comprise,e.g., the names or usernames of the users 115 assigned to the mobiledevices 120. The identified devices 120 can be filtered (e.g., by themobile device manager 202 or the remote control module 1202) inaccordance with any criteria, such as criteria specified by thecontroller 1204 to the remote control module 1202. For example, theremote control module 1202 can list only those mobile devices 120 thatare currently connected to the enterprise system 110, or only thosemobile devices 120 or users 115 that are members of a defined usergroup, etc. Also, the remote control module 1202 can be configured toallow the controller 1204 to conduct searches against the enrolledmobile devices 120, to, e.g., search for a specific device 120 or user115. In addition to identifying the users 115 of the mobile devices 120to the controller 1204, the remote control module 1202 can also beconfigured to provide additional information about the identifieddevices 120, such as device model, operating system version, platform,etc. The mobile device manager 202 can obtain such information from themobile device information 204, such as the mobile device properties 208.

Referring still to FIG. 13, in step 1304 the remote control module 1202receives from the controller 1204 a selection of at least one of themobile devices 120, and/or an instruction to initiate a remote controlsession with the selected device 120. In step 1306, the remote controlmodule 1202 sends a request for a remote control session to the selectedmobile device 120. In embodiments in which the remote control sessionsare conducted via application tunnels, the request can be sent to thetunneling mediator 224. In other embodiments, the request is sentdirectly to the selected mobile device 120. In step 1308, the controllercomputer 1200 begins to repeatedly receive batches of newly updated“user interface emulation data” from the mobile device 120. In anapplication tunnel context, this data flows from the mobile device 120to the controller computer 1200 via the tunneling mediator 224. Userinterface emulation data may comprise data that the enterprise agent 320of the mobile device 120 captures using any of various device display“scraping” methods (also referred to as “screen scraping” and/or “screenbuffer capture”), as known generally in the desktop computer field. Forexample, in the desktop computer environment, one known protocol forproviding a graphical interface to another computer is Remote DesktopProtocol (RDP), developed by Microsoft™.

With continued reference to FIG. 13, in step 1310, the remote controlmodule 1202 uses the user interface emulation data to emulate a currentstate of the user interface 304 of the mobile device 120. For example,FIG. 14 shows an embodiment of a screen display for a controllercomputer 1200, including a virtual user interface 1402 that emulates auser interface 304 of a mobile device 120 engaged in a remote controlsession with the controller computer 1200. Referring again to FIG. 13,steps 1308 and 1310 will ordinarily occur repeatedly and one after theother. Accordingly, a batch of user interface emulation data is received(step 1308) and then used by the remote control module 1202 to emulatethe mobile device's user interface 304 (step 1310), and then a new batchof user interface emulation data is received (step 1308) and then usedto emulate the user interface 304 (step 1310), and so on. In thismanner, the remote control module 1202 keeps updating the emulated userinterface to reflect a current state of the user interface 304.

Preferably, the remote control module 1202 of the controller computer1200 allows the controller 1204 to issue commands to the mobile device120. Such commands are referred to herein as “remote control commands.”Accordingly, referring still to FIG. 13, the remote control module 1202can receive, in step 1312, remote control commands from the controller1204. In some embodiments, the controller 1204 can provide thesecommands via the emulated user interface 1402. The remote controlcommands can be for accessing resources installed on the mobile device120. In this context, the mobile device resources can include operatingsystem features and functionalities, software applications, mobiledevice hardware, data resources, files, and the like. Then, in step1314, the remote control module 1202 sends the remote control commandsto the mobile device 120. At least some of the remote control commandscan be commands that the user 115 could otherwise input directly intothe mobile device 120. The mobile device 120 can react to such remotecontrol commands as if they were received via the user interface 304 ofthe device 120. These types of remote control commands will typicallycause the user interface 304 of the mobile device 120 to change, whichin turn will be reflected in a new batch of user interface emulationdata received from the mobile device. Accordingly, in step 1316, theremote control module 1202 receives updated user interface emulationdata from the mobile device 120, reflecting a state of the device's userinterface 304 after the device 120 reacts to at least some of the remotecontrol commands, as if they were received via the user interface 304.Then, in step 1318, the remote control module 1202 uses the updated userinterface emulation data to emulate the current state of the userinterface 304 of the mobile device 120.

In certain embodiments, the remote control module 1202 can allow thecontroller 1204 to view information about the mobile device 120. Thecontroller's viewing of information can be sequestered from the userinterface 304 of the mobile device 120. Hence, in step 1320, the remotecontrol module 1202 can receive a request from the controller 1204 forinformation about the mobile device 120. In step 1322, the remotecontrol module 1202 can send the request for information to the mobiledevice 120. The request can essentially automate an API for a mobiledevice feature that returns requested information (e.g., API's for taskmanager, file explorer, registry editor, etc.). In step 1324, the remotecontrol module 1202 can receive the requested information from themobile device 120, preferably without displaying the information withinthe emulated user interface 1402. In step 1326, the remote controlmodule 1202 can display the requested information on a displayassociated with the controller computer 1200, preferably in a locationother than the emulated user interface 1402. Examples of mobile deviceinformation that can be requested in steps 1320 and 1322, received instep 1324, and displayed in step 1326 include the mobile device's systeminformation, processes occurring on the mobile device, files stored onthe mobile device, the mobile device's registry, and other data.

For example, the screen display of FIG. 14 includes a system informationdisplay 1404 shown next to the emulated user interface 1402. The systeminformation display 1404 can provide some or all of, e.g., the mobiledevice's operating system version, platform, model, hardware serialnumber, CPU type, total storage memory capacity, storage memory in use,storage memory that is free, total RAM, RAM in use, RAM that is free,total storage card memory (e.g., SD card) capacity, storage card memoryin use, storage card memory that is free, AC power availability,remaining battery power, and/or device usage time available fromremaining battery power. It will be appreciated that additional systeminformation can also be provided.

In another example, FIG. 15 shows an embodiment of a screen display of acontroller computer 1200 engaged in a remote control session with amobile device 120, wherein the screen display includes a task managerdisplay 1502 showing application processes occurring on the mobiledevice 120. The illustrated task manager display 1502 is shown next tothe emulated user interface 1402. The task manager display 1502 can showsome or all of, e.g., names of applications associated with theprocesses, amounts of RAM being used by the processes, percentages ofCPU power being utilized by the processes, amounts of CPU time consumedby the processes, numbers of threads associated with the processes, andthe device paths. It will be appreciated that additional informationconcerning such processes can also be provided. In some embodiments, thecontroller 1204 can issue remote control commands (to the remote controlmodule 1202) associated with the task manager, such as terminating oneor more processes on the mobile device 120. For instance, such remotecontrol commands can be issued responsive to a selection made via thetask manager display 1502.

FIG. 16 shows an embodiment of a screen display of a controller computer1200 engaged in a remote control session with a mobile device 120,including an interface 1602 for viewing files stored on the mobiledevice 120 (in any of the aforementioned memory storages), downloadingfiles from the mobile device 120 to the controller computer 1200, and/oruploading files from the controller computer 1200 or from a differentnetworked computer to the mobile device 120. The commands issued by thecontroller 1204 to the remote control module 1202 to view files,download files, and/or upload files can be sent to the mobile device 120as remote control commands.

In another example, FIG. 17 shows an embodiment of a screen display of acontroller computer 1200 engaged in a remote control session with amobile device 120, including an interface 1702 for viewing and/orediting a registry of the mobile device 120. The illustrated registryinterface 1702 is shown next to the emulated user interface 1402.

FIG. 18 is a flowchart illustrating an embodiment of a method in which amobile device 120 participates in a remote control session with acontroller computer 1200. The method shown in FIG. 18 can correspond tothe method shown in FIG. 13, except that the method of FIG. 18 is shownfrom the perspective of a mobile device 120. As described elsewhereherein, the mobile device 120 can comprise a user interface 304configured to receive local commands from a user 115 of the mobiledevice 120, for accessing resources installed on the mobile device.Further, the user interface 304 is typically configured to conveyinformation to the user 115, such as via a screen or display 326.

The method begins in step 1802, in which the enterprise agent 320 of themobile device 120 receives a request from a controller computer 1200 toparticipate in a remote control session with the controller computer. Insome embodiments, the agent 320 can be configured to automaticallyaccept such requests. In other embodiments, the agent 320 is configuredto obtain permission from the user 115 to participate in the remotecontrol session, e.g., by prompting the user for an indication ofpermission. In the illustrated method, the agent 320 determines, indecision step 1804, whether to accept the request. If the agent 320 doesnot accept the request (e.g., due to the user 115 denying the request,or due to the user 115 simply not giving permission within a predefinedtime period), then the method can end in step 1806.

On the other hand, if the enterprise agent 320 accepts the request, thenthe agent 320 responds to the request by requesting or establishing anapplication tunnel connection with the controller computer 1200 andobtaining, in step 1808, user interface emulation data (described above)from the mobile device 120. In step 1810, the agent 320 sends the userinterface emulation data to the controller computer 1200. The agent 320can repeatedly send updated user interface emulation data, for exampleat fixed time intervals or perhaps only when changes occur to the mobiledevice's user interface 304.

Referring still to FIG. 18, in step 1812 the agent 320 can receiveremote control commands from the controller computer 1200, for accessingresources installed on the mobile device 120. As mentioned above, suchmobile device resources can include operating system features andfunctionalities, software applications, mobile device hardware, dataresources, files, and the like. At least some of these remote controlcommands can be commands that the user 115 could otherwise inputdirectly into the mobile device 120 via the user interface 304. Hence,in step 1814, the mobile device 120 reacts to at least some of theremote control commands as if they were received via the user interface304. Step 1814 can involve the agent 320 translating and/or providingthe remote control commands to the device's hardware and/or software ina native language of the device, in the same manner that such hardwareand/or software would receive the commands if the commands had beenreceived via the mobile device's user interface 304. Since step 1814 canresult in changes to the device's user interface 304, the agent 320 canbe configured to subsequently send updated user interface emulation datato the controller computer 1200.

In step 1816, the enterprise agent 320 of the mobile device 120 receivesa request from the controller computer 1200 for information about themobile device. For example, such information can include the informationdescribed above in steps 1320, 1322, 1324, and 1326 of FIG. 13. In step1818, the agent 320 sends the requested information to the controllercomputer 1200, without displaying the information on the user interface304 of the mobile device 120.

In conducting a remote control session with a remote control module 1202of a controller computer 1200, the enterprise agent 320 of a mobiledevice 120 can be configured to allow the controller 1204 to executeactions on the mobile device 120. In some cases, these can includeactions that even the user 115 of the device 120 cannot perform (e.g.,if the remote control module 1202 has functionality beyond that of thesoftware applications 318 installed on the mobile device 120).

It will be appreciated that the remote control module 1202 can beconfigured to allow the controller 1204 to conduct numerous otheroperations against the mobile device 120 during a remote controlsession. For example, the remote control module 1202 can be configuredto allow the controller 1204 to shut down or reboot the mobile device120. In another example, the remote control module 1202 can beconfigured to allow the controller 1204 to install new software onto themobile device 120. This may involve sending software applicationinstallation files from the controller computer 1200 or anothernetworked computer to the mobile device 120, and then installing theapplication. In another example, the remote control module 1202 can beconfigured to allow the controller 1204 to uninstall softwareapplications 318 from the mobile device 120. Many other operations arepossible.

In some embodiments, the remote control module 1202 of the controllercomputer 1200 and the enterprise agent 320 of the mobile device 120 areconfigured to enable the controller 1204 and the mobile device user 115to communicate with one another, using the controller computer 1200 andmobile device 120. For example, the remote control module 1202 and theenterprise agent 320 can be configured to enable a voice over internetprotocol (VoIP) session that allows the controller 1204 and user 115 tospeak to each other audibly. The mobile device 120 can use the speaker328 of the mobile device 120 to audibly broadcast the controller'sspeech (input via a microphone of the controller computer 1200) to theuser 115. Alternatively, the user 115 can listen to the controller'sspeech by connecting a pair of headphones to a headphone jack of themobile device 120. Similarly, a speaker of the controller computer 1200can broadcast the user's speech (input at the microphone 330 of themobile device 120) to the controller 1204.

In another example, the remote control module 1202 and the enterpriseagent 320 can be configured to enable a text chat session between thecontroller 1204 and the user 115. FIG. 19A shows an embodiment of ascreen display of a controller computer 1200 engaged in a remote controlsession with a mobile device 120, including a chat session interface. Inthe illustrated embodiment, the remote control module 1202 produces achat session area 1902 in which the controller 1204 can enter textcommunications to be sent to the user 115, and in which the user's textcommunications are displayed to the controller 1204. The illustratedchat session area 1902 is shown next to the emulated user interface1402. FIG. 19B shows an embodiment of the mobile device 120 emulated inFIG. 19A. The enterprise agent 320 is preferably configured to display,on the screen 326 of the mobile device 120, substantially the same textcommunications displayed in the chat session area 1902 of FIG. 19A.

In another example, the remote control module 1202 and the enterpriseagent 320 can be configured to enable shared whiteboard communicationsbetween the controller 1204 and the user 115. FIG. 20 shows anembodiment of a screen display of a controller computer 1200 engaged ina remote control session with a mobile device 120, including a sharedwhiteboard feature. In the illustrated embodiment, the remote controlmodule 1202 allows the controller 1204 to superimpose images 2002 ontothe emulated user interface 1402. The agent 320 of the mobile device 120can be configured to receive the images 2002 and then superimpose themonto the screen 326 of the mobile device 120. The images 2002 cancomprise, for example, text, drawings, and the like. In the illustratedscreen display, the controller 1204 has circled an icon on the emulateduser interface 1402 and superimposed the words “click here.”

In certain embodiments, the remote control module 1202 is configured toallow the controller 1204 to adjust the view of the emulated userinterface 1402. For example, in various embodiments, the remote controlmodule 1202 is configured to allow the controller 1204 to adjust theemulated interface's resolution, color scheme, bits per pixel (BPP),zoom level, rotational orientation, etc. Further, the remote controlmodule 1202 can be configured to allow the controller 1204 to adjust a“refresh rate” at which the enterprise agent 320 of the mobile devicesends updated user interface emulation data to the controller computer1200. The remote control module 1202 can also be configured to allow thecontroller 1204 to specify whether the data received from the mobiledevice 120 is to be compressed by the enterprise agent 320, as wellspecify the degree of compression.

In certain embodiments, the remote control module 1202 is configured tocapture and save aspects of remote control sessions. For example, theremote control module 1202 can be configured to allow the controller1204 to capture images of the emulated user interface, print the imagesonto a hardcopy printout, to record video of a remote control session,and the like. The remote control module 1202 can be configured to allowthe controller 1204 to edit the captured images or video, and/or sendcaptured media files to others, via email and the like.

In some embodiments, the remote control module 1202 can be configured toallow the controller 1204 to create macros for activating or executingcertain features, settings, and/or software applications of the mobiledevice 120.

Analytics on Secure Mobile Gateway

Referring again to FIG. 4, the secure mobile gateway 128 can include arepository 410 of logged data. The repository 410 can store dataindicative of state information generated at mobile devices 120 orgenerated by the secure mobile gateway 128. For example, the logged datacan include various information, such as data regarding grants anddenials of mobile device access requests by the gateway filter 401. Thelogged data can alternatively or additionally include data logged by andextracted from managed mobile devices 120. Such logged data can include,for example, data indicative of documents downloaded to the mobiledevice 120, system state(s) on particular mobile devices 120, programslaunched on particular mobile devices 120, records of websites or othernetwork resources accessed by particular mobile devices 120, informationassociated with email accounts of users copied on messages associatedwith managed mobile devices 120, documents attached to emails or othermessages received by the mobile devices 120, etc. The logged data caninclude data obtained from the mobile device requests 402. For instance,for a secure mobile gateway 128 that supports ActiveSync, the loggeddata can include the DeviceId, DeviceType, User, and/or UserAgent fromthe ActiveSync request 402, as well as the ActiveSync command issued bythe request. In the case of an access denial, the logged data can alsoinclude the provider 408 of the violated gateway rule 404, andinformation indicative of the reason for the denial. If access is deniedbased on a violated enterprise access policy 218 of the mobile devicemanagement system 126, the gateway 128 can determine which policy 218was violated from the mobile device management system 126 and store itin the repository 410 of logged data. The logged data can also includemobile traffic data and/or other network information about the request402, such as the IP address of the mobile device 120 that issued therequest. The logged data can be stored in accordance with a loggingstandard such as Syslog, so that the data is readable by otherapplications.

The logged data can be provided to or accessed by an analytics service414. In the illustrated embodiment, the secure mobile gateway 128includes a log redirector service 412 that periodically reads the loggeddata 410 and sends some or all of it to the analytics service 414. Thelog redirector service 412 is preferably configurable so that an ITadministrator can direct it to send only those portions of the loggeddata that match configurable criteria. For example, the log redirectorservice 412 can be configured to send only the logged data concerningdenied requests 402, or only the logged data concerning granted requests402, or logged data filtered based on different criteria. Further, thelog redirector service 412 and/or the repository 410 of logged data cancomprise a data-sharing interface that enables other systems (such asthe analytics service 414) to query or extract data concerning thelogged requests 402, such as user data, mobile device data, mobiletraffic data (e.g., IP address of sender device), etc. It will beunderstood that the principles and advantages described with referenceto analytics on the secure mobile gateway 128, can be applied toimplement a variety of data mining and correlation for security or otherpurposes. As an example, if the logged data indicates that a mobiledevice 120 has accessed certain prohibited sites and also recentlydownloaded confidential documents which were then forwarded to anexternal email, this information can be a basis for denial of access toenterprise resources.

The analytics service 414 can comprise, for example, a SecurityInformation Management (SIM) system, a Security Event Management (SEM)system, or a Security Information and Event Management (SIEM) system.SIEM solutions are a combination of SIM and SEM solutions. The analyticsservice 414 can be configured to monitor, analyze, and/or generate andsend alerts, notifications, or reports based on the logged data. Theanalytics service 414 can be configured to detect patterns in the loggeddata, provide metrics useful for further analysis or actions, anddiagnose problems associated with the data. The analytics service 414can be configured to process data formatted according to variousstandards, such as Syslog. For instance, the analytics service 414 canutilize Splunk, a software program having these types of features. Theanalytics service 414 can be part of the enterprise system 110, oralternatively can be part of a third party system for analyzing data ofthe type logged in the repository 410.

For example, the analytics service 414 can be configured to process anaccess denial by the secure mobile gateway 128 by sending acommunication (e.g., an email or SMS message) to the denied user 115,possibly specifying the reason for the denial of access (e.g., “Yourrequest to access the XYZ Corp's network was denied because your mobiledevice does not comply with the enterprise's policy against installingthe Angry Birds™ software application.”).

FIG. 21 shows an example of logged data that can be provided to ananalytics service 414, in accordance with one embodiment. In thisexample, the logged data comprises a table of rows and columns. Each rowcorresponds to a mobile device access request 402. Columns 2102 and 2104include data indicative of the date and time, respectively, at which thesecure mobile gateway 128 logged the corresponding row of data. Withregard to column 2106, “Priority,” is a configurable Syslog setting thatidentifies the collector of messages and level. Priority is aconfigurable item that applies across all Syslog collection types.Column 2108, under the heading “Hostname,” is the IP address of the hostthat provided the corresponding row of data. In the illustratedembodiment, the hostname 2108 is the IP address of the gateway 128.Column 2110, under the heading “Message,” includes various informationabout a selected mobile device access request 402. The illustratedmessage data includes the date and time at which the request wasreceived, the action (allow or deny) that the gateway 128 taken againstthe request, the user (in the first row, “jmcginty”) associated with therequest, the mobile device type, and the IP address that the mobiledevice used when submitting the access request.

FIG. 22 shows an example of an interface of an analytics service 414,for configuring criteria under which the analytics service sends alertsbased on data logged by the secure mobile gateway 128. The illustratedinterface is part of a Splunk SIEM tool. The interface allows anadministrator to input the conditions under which an alert will be sent(“Splunk Alert: Allow ActiveSync Users Alert”), the type of alert(email), content of the alert (“Include search results”), etc.

Authentication of Mobile Device Users

Enterprise networks typically authenticate their users at the onset ofthe users' computer transactions with enterprise resources. In existingsystems, authentication commonly involves a login process of receiving ausername and password from the user's client device, verifying that theusername corresponds to an authorized user, and verifying that thepassword is the correct password for the username. While some enterpriseresources 130 may be configured to consume username data for alltransactions with mobile devices (e.g., to grant access based on userID, user role 206 or other group membership, etc.), other resources 130do not. For some types of enterprise resources 130, afterauthentication, the user is permitted to conduct at least sometransactions with the resource 130 without providing login information.For a defined time period after the last transaction with theauthenticated user, some enterprise resources 130 downstream of theenterprise's firewall(s) assume that new requests that use theauthenticated IP address (i.e., the IP address of the device that sentthe user's login information to the enterprise network) are from theauthenticated user. Such enterprise resources generally do not requestand confirm the user's login information for each transaction with theuser's computing device.

While this approach is generally suitable for non-mobile client devices,it can present security risks specific to mobile devices. Mobile devicesoften change their IP addresses when in use. For instance, a mobiledevice connected to a cellular network while in a moving vehicle canswitch between different cellular towers. Similarly, a mobile device canswitch between different Wi-Fi networks. A mobile device can also switchbetween different IP addresses associated with a single cellular toweror Wi-Fi network. Hence, an enterprise resource 130 that determines theuser associated with an inbound mobile device request by examining onlythe request's IP address risks conducting a transaction with a personwho is not the user.

FIG. 23 illustrates an embodiment of a method by which the analyticsservice 414 can leverage the secure mobile gateway 128 (FIG. 4) toassist in determining whether and/or how to respond to a mobile device'srequest 2302 for accessing or using an enterprise resource 130. Forinstance, the enterprise resource 130 can receive the mobile devicerequest 2302 via a gateway different than the secure mobile gateway 128.The request 2302 could be received via an application tunnel. While theillustrated embodiment depicts a resource 130 that queries the analyticsservice 414 for a binding of user information (e.g., an ID number for auser 115) to mobile traffic data (e.g., IP address), components otherthan resources 130 (such as the tunneling mediator 224) can also beconfigured to do the same.

In the illustrated embodiment, the secure mobile gateway 128 includes agateway filter 401 and a repository 410 of logged data, for example, asdescribed above. The logged data can include data from mobile deviceaccess requests 402 received by the gateway filter 401, for example, asdescribed above. For example, if the gateway 128 supports ActiveSync,the logged data can include the DeviceId, DeviceType, User, and/orUserAgent property values from an ActiveSync request 402, as well as theActiveSync command issued by the request 402.

The request 2302 can include mobile traffic data, such as an IP addressof a mobile device 120 that sent the request 2302. The request 2302 mayor may not include data about the mobile device 120 that sent therequest 2302. The enterprise resource 130 can receive the request 2302and send a user determination request 2304 to the analytics service 414.The user determination request 2304 includes the mobile traffic data ofthe request 2302. The user determination request 2304 can additionallyinclude the time at which the enterprise resource 130 received therequest 2302, the data about the mobile device 120 that sent therequest, as well as other data associated with the request 2302. In someembodiments, the user determination request 2304 can include anidentification of a user 115 that the enterprise resource 130 or anotherenterprise component believes to be the sender of the request 2302, suchthat the analytics service 414 is essentially being asked to verifywhether the identified user 115 is the actual person who sent therequest 2302.

The analytics service 414 can employ a user determination algorithm fordetermining user information associated with the request 2302 receivedby the enterprise resource 130. In this context, user information caninclude a determination of whether the request 2302 was sent by a user115 (as opposed to someone who is not associated or enrolled with theenterprise), a determination of whether a user 115 identified in theuser determination request 2304 is the person who sent the request 2302to the enterprise resource 130, and/or an identification (e.g.,username) of a user 115 who sent the request 2302. The userdetermination algorithm can additionally determine a reliability scoreindicative of a confidence level in the computed binding—a degree ofconfidence that a particular user 115 is the actual person who sent therequest 2302. The analytics service 414 can produce and send a response2306 containing result(s) produced by the user determination algorithm.The results of the algorithm can comprise the user information and/orthe reliability score.

In the embodiment illustrated in FIG. 23, the enterprise resource 130receives the request 2302 and sends the user determination request 2304to the analytics service 414, and the analytics service 414 sends theresponse 2306 back to the enterprise resource 130. In such embodiments,the enterprise resource 130 can be configured to use the data within theresponse 2306 to determine how to respond to the request 2302. Forexample, the enterprise can respond to the request 2302 by responding tothe device 120 that sent the request 2302, ignoring the request 2302,sending an alert to an IT administrator, etc.). The enterprise resource130 can be configured to make this determination at least partly basedon the reliability score (if provided) and/or the specific action orcommand issued within the request 2302. For example, the enterpriseresource 130 can be configured to require a relatively high reliabilityscore if the request 2302 seeks to download sensitive or confidentialenterprise data, while imposing a relatively low reliability scorerequirement if the request 2302 seeks to upload data to the resource130. The enterprise resource 130 can be configured to allow anadministrator to configure the reliability score threshold at which theresource 130 will take any given action in response to the request 2302.

In other embodiments, a component upstream of the enterprise resource130 (e.g., a gateway, firewall, proxy server, DLP monitoring device,tunneling mediator, SSL traffic inspection device, or other componentsdifferent than those of the secure mobile gateway 128) receives therequest 2302, generates the user determination request 2304, and sendsthe user determination request 2304 to the analytics service 414, andthe analytics service 414 sends the response 2306 to said componentupstream of the enterprise resource 130. In these embodiments, theupstream component can be configured to use the data within the response2306 to determine whether to pass the request 2302 along to theenterprise resource 130. Further, the upstream component can beconfigured to make this determination at least partly based on thereliability score and/or the action or command issued within the request2302. For example, if the request 2302 seeks to download sensitive orconfidential enterprise data, the upstream component can be configuredto send the request 2302 to the enterprise resource 130 only if thereliability score exceeds a relatively high value. In another example,if the request 2302 seeks to upload data to the enterprise resource 130,the upstream component can be configured to require a relatively lowreliability score for passing the request 2302 along to the resource130. The upstream component can be configured to allow an administratorto configure the reliability score threshold at which the upstreamcomponent takes any given action in response to the request 2302.

In some embodiments, the analytics service 414 proactively sends out itscomputed bindings of user 115 to mobile traffic data (e.g., IP address)to the enterprise resources 130. The analytics service 414 can send thebindings directly to the resources 130, and/or to one or more componentsupstream of the resources 130, which append the bindings or related datato the mobile device communications that are transmitted to theresources 130. In these approaches, the resources 130 can use thecomputed bindings without requesting them from the analytics service414.

The user determination algorithm employed by the analytics service 414can include scanning some or all of the logged data for mobile trafficdata (from the mobile device requests 402 received by the secure mobilegateway 128) that matches the mobile traffic data received within theuser determination request 2304. For any requests 402 having mobiletraffic data that matches that of the request 2302, the algorithm canalso include determining, from the logged data 410, user data or mobiledevice data provided within the requests 402. For example, the user dataand the mobile device data can respectively include the values of theUser property and the DeviceID property of an ActiveSync request 402.The analytics service 414 can determine a user 115 corresponding to theuser data and/or mobile device data by, e.g., requesting it from themobile device management system 126. For instance, the User and DeviceIDproperty values can correspond to a particular user 115 in the mobiledevice information 204. If the logged data does not include (or theanalytics service 414 is unable to find) mobile traffic data thatmatches that of the request 2302, the analytics service 414 candetermine that the request 2302 was not sent by a user 115.

In order to determine the user information and compute the reliabilityscore, the user determination algorithm can evaluate a variety offactors. In certain embodiments, the user determination algorithmcompares the time at which the request 2302 was received by theenterprise resource 130 to the time of receipt (by the secure mobilegateway 128) of mobile device access requests 402 having mobile trafficdata matching that of the request 2302. For instance, suppose anActiveSync request 402 has User and DeviceId property valuescorresponding to a particular user 115. Suppose further that thesender's IP address within the request 402 is the same as that of therequest 2302, and that the request 402 was received by the secure mobilegateway 128 within a relatively narrow time period (before or after)from the time at which the enterprise resource 130 (or upstreamcomponent) received the request 2302. Under these circumstances, theanalytics service 414 might compute a high reliability score indicatingthat the user 115 associated with the request 402 is the person who sentthe request 2302 to the enterprise resource 130. The user determinationalgorithm can compute a lower reliability score as the time periodbetween the receipt of the request 2302 and the receipt of thetemporally closest request 402 having the same sender IP addressincreases. On the other hand, if the sender's IP address within therequest 402 is different than that of the request 2302, the analyticsservice 414 might compute a relatively low reliability score and/ordetermine that the user 115 associated with the request 402 is likelynot the person who sent the request 2302 to the enterprise resource 130.Further, if there were no requests 402 received by the gateway 128within a predefined or dynamically computed time window from (before orafter) the time of receipt of the request 2302 and which have the samesender IP address as the request 2302, then the analytics service 414can compute a relatively low reliability score.

In certain embodiments, the user determination algorithm evaluates thefrequency with which the enterprise network sees a particular user 115associated with certain mobile traffic data, such as an IP address. Forinstance, suppose that the secure mobile gateway 128 has receivednumerous ActiveSync requests 402 that have User values corresponding toa particular user 115, within a relatively short time window containingthe time at which the enterprise resource 130 received the request 2302.Suppose further that all of said ActiveSync requests 402 include senderIP addresses that are the same as that of the request 2302. Under thesecircumstances, the analytics service 414 might compute a very highreliability score indicating that the user 115 associated with therequests 402 is the person who sent the request 2302 to the enterpriseresource 130. On the other hand, if the sender IP addresses within therequests 402 is/are different than that of the request 2302, theanalytics service 414 might compute a very low reliability score and/ordetermine that the user 115 associated with the requests 402 is likelynot the person who sent the request 2302 to the enterprise resource 130.

In certain embodiments, the user determination algorithm evaluates theextent to which different access requests 402 associated with aparticular user 115 have different mobile traffic data. For instance,the fact that a string of access requests 402 from a particular user 115have numerous different sender IP addresses likely indicates that theuser 115 is on the move and constantly switching IP addresses whilecommunicating with the enterprise system 110. Under these circumstances,the analytics service 414 might compute a relatively lower reliabilityscore than if all of the access requests 402 from the particular user115 had the same sender IP address as the request 2302. In one specificapproach, the analytics service 414 determines a total number of accessrequests 402 that (1) have user data corresponding to a particular user115 of interest, (2) have mobile traffic data that does not match themobile traffic data received within the user determination request 2304,and (3) were received by the secure mobile gateway 128 within apredetermined or dynamically computed time window containing the time ofreceipt in the user determination request 2304. The analytics service414 can reduce the computed reliability score (in a confidence levelthat the request 2302 was from the particular user 115) as the totalnumber of determined access requests 402 increases.

In certain embodiments, the user determination algorithm takes intoconsideration whether the IP address of a request 2302 is from a knownblock or subnet of IP addresses that are registered or otherwiseassociated with the enterprise system 110. Such a block or subnet of IPaddresses can be available via the enterprise's own equipment, primarilyfor use by enterprise personnel, such as a Wi-Fi network, an enterpriseVPN allocation block, or roaming external IP addresses. A block orsubnet of IP addresses can be registered with the secure mobile gateway128. If a request 2302 is sent from an IP address associated with theenterprise, the algorithm can be configured to compute a higherreliability score.

It will be understood that the user determination algorithm forcomputing the reliability score can include factors in addition to thosedescribed above. It will also be understood that the algorithm need notconsider all of the factors described above, and can use anysub-combination thereof.

In the embodiment illustrated in FIG. 23, the analytics service 414 isconfigured to inspect the logged data in the repository 410 of thesecure mobile gateway 128 to establish bindings of users and/or mobiledevices to mobile traffic data (e.g., IP address). However, an analyticsservice 414 can be configured to query multiple different logs of mobilerequest data to compute such bindings. If the enterprise system 110 hasmultiple different secure mobile gateways 128 (e.g., for different typesor protocols of mobile device communications), the analytics service 414can be configured to query logged data from each of the gateways 128.

The analytics service 414 can be configured to generate reports anddisplays of its bindings of user and mobile device to mobile trafficdata (e.g., IP address). The enterprise system 110 can include aweb-based or other type of user interface for viewing such bindings. Forexample, such information could be displayed via a user interface of themobile device management system 126.

In preferred embodiments, various components of the enterprise system110 can use the bindings of user and/or device to mobile traffic dataproduced by the analytics service 414 to track or log network usageevents for one or more mobile devices 120. The analytics service 414 canbe queriable and configured to share its information with othercomponents via, e.g., web services.

As noted above, the analytics service 414 can be configured to generateand send notifications to users 115 or IT administrators based on thelogged data. Additionally, the analytics service 414 can be configuredto send such a notification at least partly based on one or morereliability scores computed according to the user determinationalgorithm. For example, if a large number of requests were denied, andif reliability scores associated therewith satisfy a defined threshold,then the analytics service 414 can be configured to send an appropriatealert. On the other hand, the analytics service 414 can be configured toignore situations involving low reliability scores. If there are a largenumber of access denials, but they all have low reliability scores, itmay not be worth generating and sending a notification.

For security purposes, the analytics service 414 can be configured toencrypt the user, device, and mobile traffic data bindings that theservice 414 produces.

Secure Document Containers

Reference is made again to FIG. 3. In some embodiments, a mobile device120 can include a secure document container 336, which can be referredto as a “container.” As explained herein, the container 336 can helpprevent the spread of enterprise information to different applicationsand components of the mobile device 120, as well as to other devices.The enterprise system 110 (which can be partially or entirely within thecloud 156) can transmit documents to the devices 120, which can bestored (e.g., by the enterprise agent 320) within the container 336. Thecontainer 336 can prevent unauthorized applications 318 and othercomponents of the device 120 from accessing information within thecontainer 336. For enterprises that allow users 115 to use their ownmobile devices 120 for accessing, storing, and using enterprise data,providing containers 336 on the devices 120 helps to secure theenterprise data. For instance, providing containers 336 on the devices120 can centralize enterprise data in one location on each device 120,and can facilitate selective or complete deletion of enterprise datafrom the device 120.

As used in this context, a “document” can comprise any computer-readablefile including text, audio, video, and/or other types of information ormedia. A document can comprise any single one or combination of thesemedia types.

The secure document container 336 can comprise an application thatimplements a file system 338 that stores documents and/or other types offiles. The file system 338 can comprise a portion of a computer-readablememory of the mobile device 120. The file system 338 can be logicallyseparated from other portions of the computer-readable memory of themobile device 120. In this way, enterprise data can be stored in securedocument container 336 and private data can be stored in a separateportion of the computer-readable memory of the mobile device 120. Thecontainer 336 can allow the enterprise agent 320, mobile deviceapplications 318 and/or other components of the device 120 to read from,write to, and/or delete information from the file system 338 (ifauthorized to do so). Deleting data from the container 336 can includedeleting actual data stored in the container 336, deleting pointers todata stored in the container 336, deleting encryption keys used todecrypt data stored in the container 336, and the like. The container336 can be installed by, e.g., the agent 320, IT administrators of theenterprise system 110, or the device 120 manufacturer. The container 336can enable some or all of the enterprise data stored in the file system338 to be deleted without modifying private data stored on the mobiledevice 120 outside of the container 336. The file system 338 canfacilitate selective or complete deletion of data from the file system338. For example, a component of the enterprise system 110 can deletedata from the file system 338 based on, e.g., encoded rules. In someembodiments, the agent 320 deletes the data from the file system 338, inresponse to receiving a deletion command from the enterprise system 110.In other embodiments, the data is deleted without the assistance of theagent 320, for example if an agent 320 is not provided.

The secure document container 336 can comprise an access manager 340that governs access to the file system 338 by applications 318 and othercomponents of the mobile device 120. Access to the file system 338 canbe governed based on document access policies (e.g., encoded rules)stored in the documents and/or the file system 338. A document accesspolicy can limit access to the file system 338 based on (1) whichapplication 318 or other component of the device 120 is requestingaccess, (2) which documents are being requested, (3) time or date, (4)geographical position of the device 120, (5) whether the requestingapplication 318 or other component provides a correct certificate orcredentials, (6) whether the user of the device 120 provides correctcredentials, (7) other conditions, or any combination thereof. A user'scredentials can comprise, for example, a password, one or more answersto security questions (e.g., What is the mascot of your high school?),biometric information (e.g., fingerprint scan, eye-scan, etc.), and thelike. Hence, by using the access manager 340, the container 336 can beconfigured to be accessed only by applications 318 that are authorizedto access the container 336. As one example, the access manager 340 canenable enterprise applications installed on the mobile device 120 toaccess data stored in the container 336 and to prevent non-enterpriseapplications from accessing the data stored in the container 336.

Temporal and geographic restrictions on document access may be useful.For example, an enterprise administrator may deploy a document accesspolicy that restricts the availability of the documents (stored withinthe container 336) to a specified time window and/or a geographic zone(e.g., as determined by a GPS chip 316) within which the device 120 mustreside in order to access the documents. Further, the document accesspolicy can instruct the container 336 or agent 320 to delete thedocuments from the container 336 or otherwise make them unavailable whenthe specified time period expires or if the mobile device 120 is takenoutside of the defined geographic zone.

Some documents can have access policies that forbid the document frombeing saved within the secure document container 336. In suchembodiments, the document can be available for viewing on the mobiledevice 120 only when the user 115 is logged in to the enterprise system110.

The access manager 340 can also be configured to enforce certain modesof connectivity between remote devices (e.g., an enterprise resource 130or other enterprise server) and the container 336. For example, theaccess manager 340 can require that documents received by the container336 from a remote device and/or sent from the container 336 to theremote device be transmitted through application tunnels, for example,as described above. Such application tunnels can use the tunnelingmediator 224 of the enterprise system 110. The access manager 340 canrequire that all documents transmitted to and from the container 336 beencrypted. The enterprise agent 320 or access manager 340 can beconfigured to encrypt documents sent from the container 336 and decryptdocuments sent to the container 336. Documents in the container 336 canalso be stored in an encrypted form.

The secure document container 336 can be configured to prevent documentsor data included within documents from being used by unauthorizedapplications or components of the mobile device 120 or other devices.For instance, a mobile device application 318 having authorization toaccess documents from the container 336 can be programmed to prevent auser from copying a document's data and pasting it into another file orapplication interface, or locally saving the document or document dataas a new file outside of the container 336. Similarly, the container 336can include a document viewer and/or editor that does not permit suchcopy/paste and local save operations. Moreover, the access manager 340can be configured to prevent such copy/paste and local save operations.Further, the container 336 and applications 318 programmed andauthorized to access documents from the container 336 can be configuredto prevent users from attaching such documents to emails or other formsof communication.

A mobile device application 318 can be programmed to lookup and find thesecure document container 336 (or a secure web browser 332, describedbelow, that includes the container 336) as a resource of the mobiledevice 120. In certain embodiments, the application 318 can run in asecure virtual machine separate from a virtual machine of an operatingsystem of the mobile device 120. According to some other embodiments,the application can run within the secure web browser 332. Anapplication 318 can be programmed to write enterprise-related data onlyinto the container 336. For instance, the application's 318 source codecan be provided with the resource name of the container 336. Similarly,a remote application (e.g., an enterprise resource 130) can beconfigured to send data or documents only to the containers 336 of oneor more mobile devices 120 (as opposed to other components or memorylocations of the devices 120). Storing data to the container 336 canoccur automatically, for example, under control of the application 318,the enterprise agent 320, or the web browser 332. An application 318 canbe programmed to encrypt or decrypt documents stored or to be storedwithin the container 336. In certain embodiments, the container 336 canonly be used by applications (on the device 120 or remote) that areprogrammed to look for and use the container 336, and which haveauthorization to do so.

The secure document container 336 can serve as a temporary repositoryfor documents and other files sent to the mobile device 120. Remoteapplications can be configured to send documents to the container 336(e.g., via application tunnels) on a one-time or periodic basis. Forexample, a sales-related enterprise resource 130 can be programmed tosend sales-related documents (e.g., most recent price sheets) everymorning to the containers 336 of a team of users 115 havingsales-related roles 206 (e.g., sales persons). The sales-relateddocuments can have document access policies such that the documents will“self-destruct” (e.g., be automatically deleted from the container336—the deletion being performed by, e.g., the container 336 itself orthe enterprise agent 320) at a certain time or at the expiration of atime period beginning at a defined event (e.g., the user's opening of adocument). Document distribution policies (e.g., encoded rules) can beprovided (e.g., within the mobile device management system 126) tocontrol when and how remote applications (e.g., enterprise resources130) send documents to the containers 336, to which users 115 thedocuments are sent, what restrictions (e.g., temporal or geographicrestrictions) are placed on the use and availability of the documents(e.g., in the form of document access policies as described above), etc.

Remote applications that send documents to one or more secure documentcontainers 336 of mobile devices 120 can be configured to integrate withother repositories, for the purpose of sending documents from suchrepositories to the containers 336. Such other repositories can bestored, for example, within the enterprise system 110 (e.g., enterprisedocument repositories such as a Microsoft Sharepoint™ repository) or ina cloud-computing system (e.g., a Box.net™ repository).

Software Development Kit for Mobile Device Applications

Another aspect of certain embodiments involves a software developmentkit (SDK) that enables an application developer to embed one or more ofthe functionalities described herein into a mobile device softwareapplication, such as a software application 318. As used herein, “embed”can include the modification of an application's source code. FIG. 24illustrates an embodiment of a software development system 2402including an SDK 2404 for creating a mobile device application 2406. Thesoftware development system 2402 can be implemented by any suitablecomputer hardware. A software developer can create an application 2406such as by generating program code and compiling it into an executableprogram compatible with a mobile device 120.

The SDK 2404 can comprise a library of development tools 2408 providingdifferent functionalities. The development tools 2408 can comprise codesnippets, data structures, protocols, routines, and the like. The SDK2404 can provide an application programming interface (API) 2410 thatenables an application 2406 to interface with the development tools2408. The SDK 2404 can include a program editor 2412 for generating thecode for an application 2406, and a compiler 2414 for converting thecode into a machine-readable format. The SDK 2404 can include adebugging tool 2416 for debugging developed code. It will be appreciatedthat the SDK 2404 can include other features in addition to these. Itwill also be appreciated that the SDK 2404 need not include all of theillustrated features.

The development tools 2408 can include tools for embedding one or moreof the functionalities described herein into a mobile device softwareapplication 2406. It will be appreciated that any sub-combination ofthese functionalities can be embedded into the application 2406, andthat other functionalities not described herein can also be so embedded.Different development tools 2408 are now described.

In certain embodiments, the SDK 2404 includes a development tool 2408that allows an application developer to embed, within an application2406, functionality for forming and maintaining an application tunnel(for example, as described above) with a network resource, andcommunicating with the network resource by sending and receivingcommunications through the tunnel. The network resource can comprise,for example, an enterprise resource 130. The tool 2408 can be configuredto add application tunnel functionality that participates with anenterprise agent 320. As described above in the application tunnelssection, the enterprise agent 320 can receive network communicationsfrom the application 2406, encapsulate them according to anencapsulation protocol, send the encapsulated communications to atunneling mediator, receive similar communications from the tunnelingmediator (which came from a tunnel endpoint resource), unpackencapsulated communications received from the tunneling mediator, andsend the unpacked communications to the application 2406. Alternatively,the tool 2408 can provide functionality for forming an applicationtunnel without the participation of the enterprise agent 320, whereinthe application 2406 itself performs these actions using anencapsulation protocol as described above.

In certain embodiments, the SDK 2404 includes a development tool 2408that allows an application developer to embed, within an application2406, functionality for improving the communication experience between amobile device 120 and a network resource, such as an enterprise resource130, particularly for application tunnel communications. Suchfunctionality can include caching user-inputted data locally on themobile device 120 in the event of a lost connection to a network, asdescribed above. Such functionality can likewise include compression ofdata to be sent to a network resource, and decompression of datareceived from the network resource, as described above. Again, suchembedded functionality can participate with an enterprise agent 320 toenable these features, or can provide these features separate from anenterprise agent 320.

In certain embodiments, the SDK 2404 includes a development tool 2408that allows an application developer to embed, within an application2406, functionality for participating in a remote control sessionbetween a mobile device 120 and a helpdesk operator, as described above.Such functionality can allow a helpdesk operator to view data about theapplication 2406 installed on the mobile device 120, and/or to controlaspects of the application 2406 and possibly other features of themobile device 120. Such functionality can include sending user interfaceemulation data to the helpdesk operator's computer, as described above.Such functionality can include receiving commands from the helpdeskoperator for executing actions on the mobile device 120. Again, suchembedded functionality can participate with an enterprise agent 320 toenable these features, or can provide these features separate from anenterprise agent 320.

In certain embodiments, the SDK 2404 includes a development tool 2408that allows an application developer to embed, within an application2406, functionality for finding, providing credentials to, reading from,and/or writing to a secure document container 336 as described above.This can allow the application 2406 to access and update informationwithin the container 336. This can also allow the application 2406 toaccess documents securely received by the mobile device 120 from anetwork resource, such as an enterprise resource 130 or otherapplication or component of an enterprise system 110. The developmenttool 2408 can be configured to modify the source code of an application2406 so that the application 2406 can find the container 336 by itsresource name on the device 120. The development tool 2408 can beconfigured to modify the source code of an application 2406 so that theapplication 2406 writes all data (or perhaps just data relating to theenterprise 110) into the container. For example, the development tool2408 can be configured to parse the application's source code to findcommands for writing data to a memory (e.g., application state data forallowing the user to stop using the application and than later restartthe application in the exact state in which the user left it) or readingdata from the memory, and to adjust one or more of those portions of thesource code to write data into the container 336 and read data from thecontainer 336.

In some embodiments, the SDK's development tool 2408 can embed withinthe application 2406 the ability to encrypt documents to be storedwithin the container 336, and/or the ability to decrypt documentsobtained from the container 336. The development tool 2408 can embedwithin the application 2406 an editor for allowing a user 115 of amobile device 120 to view and/or edit documents obtained from thecontainer 336. The editor can also allow the user 115 to upload editedor newly created documents to the container 336 or to a network resource(e.g., an enterprise resource 130 of the enterprise system 110).

In certain embodiments, the SDK 2404 includes a development tool 2408that allows an application developer to embed, within an application2406, mobile device rules such as the rules 214 described above.Further, the development tool 2408 can allow the developer to embedfunctionality for evaluating the mobile device rules, including queryingthe device 120 or other network resources for data needed for theevaluation. The embedded functionality can also include remedial actionsassociated with the mobile device rules, such as the remedial actions216 described above. The embedded functionality can further include aremedy agent for automatically executing remedial actions on the mobiledevice, as described above. Compared to the aforementioned mobile devicerules 218 (which are described above predominantly as user-specific anddevice-specific rules), a software developer can embed rules andremedial actions that are customized to a specific application 2406. Incertain embodiments, the SDK 2404 includes tools for creating andediting mobile device rules and remedial actions, such as the tools 221described above. A software developer can use the creating/editing toolsto create mobile device rules and remedial actions, and to embed theminto an application 2406. Certain embodiments provide an online libraryof mobile device rules and remedial actions that a software developercan use, with or without modification, and embed within an application2406.

In certain embodiments, the SDK 2404 includes a development tool 2408that allows an application developer to embed, within an application2406, functionality for application fault detection (e.g., using mobiledevice rules as described above), application performance measurement,and the detection of related events. The embedded functionality caninclude the logging of detected faults, performance measurements,related events, event times, event locations, and other data within alocal storage of a mobile device 120. The development tool 2408 canallow an application 2406 to be configured to report such data to anetwork resource, such as a component of an enterprise system 110,and/or an analytics service such as the analytics service 414 describedabove. This embedded functionality can give IT administrators visibilityinto what is happening on the mobile device, at least as it pertains tothe specific application 2406 installed thereon. Further, an analyticsservice can analyze data across multiple different mobile devices 120that run the specific application 2406. The embedded functionality caninclude encrypting the data logged on the mobile device 120 and/orreported to other components via network communications.

In certain embodiments, the SDK 2404 includes a development tool 2408that allows an application developer to embed, within an application2406, functionality for cooperating with a meta-application, such as anenterprise system-based meta-application portion 150 and/or acloud-based meta-application portion 151. The embedded functionality caninclude discovery procedures for discovering information about theinstalled application 2406 or a mobile device 120 on which it isinstalled, and sending the discovered information to themeta-application for use in, e.g., constructing a queriable model(similar to the enterprise model 814 of FIG. 8) of which the application2306 and/or mobile device 120 forms at least a part. The embeddedfunctionality can include receiving a query from the meta-application,responding to the query by retrieving the queried data from the mobiledevice 120, and sending the queried data to the meta-application. Asdiscussed above, the meta-application can use the queried data to detectproblems, perform root cause analysis, and/or select remedial actions.Hence, the embedded functionality can include receiving a remedialaction from the meta-application, executing the remedial action on themobile device 120, and reporting results of executing the remedialaction to the meta-application. In some embodiments, the embeddedfunctionality participates with a device-resident enterprise agent 320to provide these features, while in other embodiments the embeddedfunctionality provides these features without cooperating with anenterprise agent 320.

Secure Web Browser

Another aspect of certain embodiments involves a web browser withinwhich other mobile device software applications can run. The web browsercan be provided with some or all of the enterprise security and otherfeatures described herein, and can extend those features for use withthe mobile device applications that run within the browser. In this way,the browser can be used to implement BYOD policies while maintaining adesired level of control over applications running on a mobile device120 of an enterprise user 115. An enterprise can require some or all ofits users 115 to install and use this web browser, to reduce enterprisesecurity risks associated with the use of such mobile deviceapplications. Further, in some circumstances, such a web browser canmake it unnecessary for application developers to develop differentversions of a mobile device application for different mobile deviceplatforms. As mentioned above, the secure browser can also be used toenable mobile device users to access a corporate intranet without theneed for a virtual private network (VPN).

Referring to FIG. 3, a mobile device 120 can include a specialized webbrowser 332. The web browser 332 can be configured to perform thefunctions of conventional web browsers, including surfing Internetsites, displaying and/or playing multimedia content received from webservers, etc. The web browser 332 can store data accessed via a networkin a secure document container 336 and/or in a secure browser cache.Such data can be deleted at the direction of an enterprise. Forinstance, a mobile device management system 126 can initiate deletion orotherwise make data stored in the secure document container 336 and/orthe secure browser cache inaccessible. Additionally, the web browser 332is preferably configured to act as a container for at least some othersoftware applications 318 installed on the mobile device 120, to allowthose applications 318 to run within the browser 332. A softwareapplication 318 can be configured to launch the browser 332 when theapplication 318 is itself launched by a user 115. Moreover, anapplication 318 can be configured to launch the browser 332 and runwithin the browser 332 in a manner that is transparent to the user 115.In other words, the user 115 can be given the impression that theapplication 318 is running conventionally, without involving the webbrowser 332. The web browser 332 can leverage a protocol thatfacilitates its usage as a container for other software applications318. For example, the web browser 332 can leverage HTML5 for thispurpose.

The web browser 332 can provide some or all of the functionalitiesdescribed herein. For example, the web browser 332 can include some orall of the functionalities provided by the SDK 2404 and/or enterpriseagent 320 described above. Thus, the web browser 332 can be configuredto use application tunnels for communications with network resources(such as enterprise resources 130). The web browser 332 can receive (orhave embedded) mobile device rules 214 and remedial actions 216 from themobile device management system 126 or another component of anenterprise system 110. The web browser 332 can alternatively haveembedded mobile device rules and remedial actions. The web browser 332can employ caching and/or compression methods within applicationtunnels, to improve the user's communication experience as describedabove. The web browser 332 can be configured to provide credentials to,read from, write to, and/or provide an editor for displaying and editingdocuments obtained from a secure document container 336 of the mobiledevice 120, as described above. In certain embodiments, the web browser332 can implement the secure document container 336. The web browser 332can prompt a user 115 to supply access credentials prior and verify theaccess credentials prior to exposing functionality of an application 318running within the browser 332 to the user 115. Alternatively oradditionally, the web browser 332 can cause data stored to the mobiledevice 120 by an application 318 running in the web browser 332 to beencrypted. The web browser 332 can be configured to participate in aremote control session with a helpdesk operator, as described above. Theweb browser 332 can be configured to log fault detections, performancemeasurements, related events, event times, event locations, and otherdata, and to provide such data to an analytics service as describedabove in connection with the SDK 2404. The web browser 332 can beconfigured to engage in communications with a meta-application, again asdescribed above. By providing at least some of these and/or otherfunctionalities, the web browser 332 can make it unnecessary for mobiledevice application developers to embed such functions within the mobiledevice applications 318.

In some embodiments, the web browser 332 is configurable so that one ormore of these functionalities can be activated or deactivated underdefined conditions that can be configured, e.g., remotely by a remotecomputer system such as the enterprise system 110. Definable conditionsinclude temporal conditions, location conditions, mobile deviceproperties, user properties (e.g., roles 206), and others. A temporalcondition can be the time of day. For example, the web browser 332 canbe configured to force all mobile traffic (at least for applications 318configured to launch the browser 332) through application tunnels onlyduring working hours (e.g., 8 am to 5 pm on Monday through Friday), andto send the traffic conventionally outside of those hours. A locationcondition can be the location of the mobile device 120. For example, thebrowser 332 can be configured to activate the aforementioned compressionand caching features when the device 120 is in a geographical area knownto have bad wireless connectivity.

Different web browsers 332 can be created for different mobile deviceplatforms, with each of the browser versions using a single standard forrunning mobile device applications. This can advantageously allow mobiledevice application developers to develop mobile device applications 318in just one programming language, as opposed to creating differentversions for the various mobile device platforms. This can substantiallyreduce the application development workload for developers.

An enterprise can require its users 115 to install the web browser 332onto their mobile devices 120, and can prohibit the use of other webbrowsers. The required browser 332 can be configured to direct at leastsome of the mobile device traffic through application tunnels to anenterprise-controlled tunneling mediator, such as the mediator 224described above. This gives the enterprise greater control over thetraffic, reducing security risks. An enterprise can deploy a mobiledevice rule 214 that enables a device-resident enterprise agent 320 orthe web browser 332 itself to detect the installation and/or use of aprohibited web browser on the mobile device 120. An associated remedialaction 216 can prevent the usage of the prohibited web browser accordingto methods described above, such as by uninstalling it, preventing itfrom running, etc.

In some embodiments, the secure web browser 332 can be configured todirect some or all web surfing requests to a content-filtering server asdescribed above.

Modifying Behaviors of Pre-existing Mobile Applications

A system and process will now be described for enabling non-developers,such as members of a company's IT department, to add to or otherwisemodify the behaviors of an existing mobile application, such as anAndroid, IOS, or Windows Mobile application. The system and process canbe used, as one example, to create different versions of a mobileapplication (with different privileges, access rights, etc.) based on auser's role within the enterprise. For instance, different versions ofthe mobile application can be created for different job categories(e.g., executive, non-executive employee, intern, etc.) and/or differentdepartments (sales, IT, human resources, etc.). The processes describedin this section can be implemented in an application modification or“wrapping” tool or utility that is made available to enterprises thatuse the disclosed system. This utility may, for example, be hosted on aserver (e.g., as a web service) that is accessible to enterprises, ormay be provided to the enterprises (e.g., as a PC application).

In a typical use case scenario, the mobile application to be modified isa custom application developed for a particular enterprise. However,this need not be the case. For example, the disclosed system and processare also applicable to commercially available mobile applicationsavailable in app stores. The mobile applications can be modified withoutbeing specially written to support or enable such modifications. Forexample, the developer need not include any special code orfunctionality in the application to enable or facilitate themodifications, and need not be involved in the disclosed process ofmodifying the application.

The behaviors that are modified typically include or consist ofbehaviors that involve standard API calls or classes. The following areexamples of some of the types of behaviors that can be added or modifiedvia the disclosed process:

1. The cut-and-paste capability commonly provided through mobile deviceoperating systems, such as Android and IOS, can be disabled within aparticular mobile application, such as an application that providesaccess to confidential corporate data. This behavioral change may bedesirable to inhibit employees (or a certain class of employees) fromaccidentally or maliciously sending or moving confidential data to anunauthorized location.

2. A mobile application that stores its output in a non-encrypted formatcan be modified to store its output in an encrypted format. In oneembodiment, this is accomplished in-part by modifying the mobileapplication's input/output references to cause the application to use anencryption library to encrypt and decrypt the data it write to or readsfrom memory. Code may also be injected that causes the mobileapplication to obtain a key from the enterprise agent for use inencrypting and decrypting the data.

3. A mobile application that uses a certain level or type of encryptioncan be modified to use a different level or type of encryption. Forexample, if the Federal Government requires the enterprise to beginusing a particular encryption library, an existing mobile applicationcan be modified to effectively replace the existing encryption librarywith the new one.

4. An enterprise can modify a mobile application to cause it to use aspecial secure connection to the enterprise's network or enterprisesystem. For example, the mobile application can be configured to use asecure application tunnel as described above.

5. A mobile application can be modified to add a log-in or otherauthentication prompt or screen.

6. A mobile application can be configured to log and/or report dataregarding its usage. This data may include, for example, the time andduration of use, the location (based, e.g., on GPS coordinates) of use,the application features invoked, the access points accessed, etc.(Existing mobile device operating systems such as Android and IOSprovide functionality for enabling applications to obtain these andother types of usage parameters). This usage data may be used by anenterprise to, for example, monitor employee compliance with theenterprise's usage restriction policies, to identify and correctproblems with particular enterprise mobile applications, or to determinewhether to continue paying for application licenses for particularusers. The application usage data collected on a mobile device 120 may,for example, be reported by the enterprise agent 320 to the mobiledevice management system 126, or some other system, for analysis.

7. A mobile application can be modified to enable an enterprise toremotely initiate deletion of the application's data on a particularmobile device 120 of a particular employee, without affecting otherusers of the application. As mentioned above, such selective wipeoperations may also be executed when, for example, a user fails to entera valid enterprise passcode a threshold number of times.

8. A mobile application can be modified such that it can only belaunched in by a secure launcher 350B (FIG. 3B), and not by the generallauncher of the mobile device's operating system. This may beaccomplished by, for example, changing one or more references in themobile application to the mobile operating system's general launcher sothat they point instead to the secure launcher. As explained above, thesecure launcher may implement one or more security policies, such asrequiring entry of a valid passcode before the enterprise application islaunched. The secure launcher may also cause the enterprise applicationsto run in a secure execution environment, such as by causing theenterprise applications to be executed using a secure virtual machine(FIG. 3B) that is separate from the mobile operating system's virtualmachine. (See section below.)

9. A mobile application can be modified to cause it to launch in asecure virtual machine 350C (FIG. 3B). This may be accomplished by, forexample, modifying a reference in the application (e.g., in an Androidapplication's manifest or in any manner in which the application islaunched) to cause it to be launched in a secure VM. As explained belowin the section titled Secure Virtual Machine, the secure VM mayimplement some of the client-side security functions described herein(encryption, application tunnels, etc.), reducing or eliminating theneed to add such functions to the mobile applications themselves. Thiscan enable enterprise applications to be run in a secure executionenvironment, while personal applications are run in a default VM.

Other examples include disabling offline access, adding URL filtering,adding API filtering, disabling writes to local storage, and preventingdocuments from being opened in new applications.

FIG. 29 illustrates one embodiment of the application modificationsystem. The system includes an application transformer 2900 that makesthe modifications based on operator-selected policies. For Androidapplications, the transformer 2900 receives the application's .APK(application package) file, and outputs a new .APK file representing themodified application. For IOS, the transformer 2900 receives a .IPA(iPhone application archive) file, and outputs a new .IPA filerepresenting the modified application. Various other file formats andmobile device operating systems may be supported. As shown in FIG. 29,the application transformer 2900 preferably includes a disassembler2900A (for disassembling the application's executable code), a codeanalyzer/mapper 2900B, a code modifier/injector 2900C, and anapplication rebuilder 2900D.

As shown in FIG. 29, the transformer 2900 accesses a policy library 2902containing policy descriptions for various policies and associatedbehaviors, such as those listed above. For example, a “disablecut-and-paste” policy may be provided. The policies may be described inany appropriate language and format. For example, the policydescriptions may be stored as smali files. As further shown in FIG. 29,the system also includes a control interface 2904 or “console” thatenables an administrator to select the policy or policies to be appliedto a given mobile application. The console 2904 may also include a toolfor enabling administrators to define new policies. For example, a newpolicy could be defined that adds an authentication sequence, disablescut-and-paste, and causes all files to be stored in encrypted form. Thispolicy could then be used as a basis for modifying multiple mobileapplications.

In a typical use case scenario, a member of a company's IT departmentuses the control interface 2904 to: select a mobile application to bemodified, select the policy or policies to be applied, and initiate thetransformation process. The modified application is then distributed tothe relevant employees or other users (e.g., through a specialapplication store that is accessible through the enterprise agent, asdescribed above). This process may be repeated with different policyselections to create different versions of the application for differentusers. The policy library 2902 may, for example, include policy filesfor implementing some or all of the types of policies described above(and various others).

FIG. 30 illustrates a sequence of steps that may be performed bytransformer 2900 to modify an Android application based on a selectedset of one or more policies. A similar process may be used to transformapplications written for other operating systems, such as IOS andWindows Mobile. The entire process shown in FIG. 30 is preferably fullyautomated, meaning that no human intervention is required. In block3000, the .APK file is opened. As in known in the art, this filecontains various application components, such as the application'sexecutable code, images, XML files, a manifest, and other resources. Inblock 3002, the disassembler 2900A disassembles the application'sexecutable code to generate one or more textual smali files. As will berecognized, an intermediate language other than smali can be used toimplement the disclosed modification tasks.

In block 3004, the analyzer/mapper 2900B analyzes and maps theapplication code (in smali format) to generate information regarding APIcalls that will potentially be replaced. In block 3006, the relevant APIcalls are replaced with new API calls for implementing the selectedpolicy or policies. In addition, the associated code from the policylibrary 2902 is added. For example, if the cut-and-paste functionalityis being disabled, any API calls that are used by the application toaccess the operating system's cut-and-paste functionality may be removedor replaced.

As one example, a new version of the Java I/O File Input Stream(Java.io.FileInputStream) class may be generated, and all references tothe original class may be modified to point to this new version. The newversion may, for example, include code for encrypting and decryptingdata on file write and read operations, respectively.

In block 3008 of FIG. 30, additional code may be added, if applicable,to implement one or more features or behaviors that do not require thereplacement of any existing API calls. As one example, code may be addedfor enabling an authorized administrator to remotely trigger thedeletion, on a user-specific or mobile device specific basis, of theapplication's data stored on a particular mobile device. In thisexample, the code added in block 3008 would add functionality forreceiving and processing a message containing a command to perform sucha selective wipe or deletion operation.

To provide an additional layer of security, the portions of the codethat are modified in the preceding blocks may be obfuscated usingobfuscation methods and functions that are known in the art. The use ofobfuscation impairs the ability of others to reverse engineer thesecurity functions added to the application. Obfuscation may be appliedto the disassembled code (e.g., smali code), or may be applied at adifferent level.

In block 3010 of FIG. 30, the application's manifest (e.g.,AndroidManifest.xml) is modified, if necessary, to reflect the modifiedbehaviors. As one example, if the application is being modified to belaunched in a secure shell, the manifest would be modified to instructthe Android operating system to use the secure shell to launch theapplication. In some embodiments, this involves replacing a reference tothe operating system's general launcher with a reference to a securelauncher 350B (FIG. 3B). In block 3012, the modified smali code andmanifest, together with the other extracted application components, arecompiled into a new .APK file. In block 3014, this new .APK file issigned using a digital certificate.

Mobile applications written for the IOS operating system may be modifiedin a similar manner. Typically, such an application is distributed as anIPA file that includes an executable in Mach-O format, a P-list, andresources. Once the executable has been disassembled to produce ARMassembly code, it is mapped to identify classes to potentially bereplaced, and is then modified by: (1) identifying one or more specificclasses to be replaced, (2) adding/modifying the code to replace suchclass(es), (3) adjusting the class structure to reflect themodifications, so that each new class is a subclass of the originalcode, and (4) updating the references to point to the new class orclasses.

In some embodiments, the above-described process may be augmented withone or more tests for verifying that the mobile application to bemodified does not contain malware, or does not otherwise present a riskto enterprise security. One such test involves generating a hash of someor all of the application files, and then comparing this hash to libraryof hashes that are associated with known malware. If a match is found(indicating that the application likely includes malware), theapplication modification process may be terminated.

Another such test involves inspecting the API calls and URL requestsmade by the application to check for suspicious activity. Examples ofsuspicious activity include reading the personal contacts stored on thedevice, sending an email to a cloud storage service, and sendinglocation information without first requesting user permission. Based onthis analysis, a score (e.g., on a scale of 1 to 100) may be generatedthat represents the level of risk posed by the mobile application. Themodification process may be terminated if this score exceeds athreshold. The score may additionally or alternatively be included in areport that details the suspicious activity detected. The applicationmodification tool may, for example, output this report for review, andmay prompt the administrator-user to confirm or indicate whether themodification process should proceed.

The application modification system shown in FIG. 29 may, for example,be implemented on a server, personal computer, workstation, or othercomputer or system of computers within a company's enterprise system.Alternatively, the application modification system may be implemented asa hosted service that is accessible to corporate customers over theInternet. The various components 2900-2904 of the system may beimplemented as code modules that are stored on any type(s) ofnon-transitory computer storage device or system.

The components 2900, 2902, 2904 of the system shown in FIG. 29 may beprovided to companies as part of a larger system (such as the systemdescribed in other sections of this specification) for enabling thecompanies to manage mobile devices and to protect data accessed by suchdevices. For example, these components may be bundled and licensed withvarious other components described in this disclosure. Alternatively,the application modification system of FIG. 29 may be provided tocompanies as a standalone product, or as a system that is hosted by aservice provider and accessed over a network.

Secure Virtual Machine

As mentioned above, one approach for effectively adding a security layerto the enterprise mobile applications is to configure or force suchapplications to run within a secure VM 350C (FIG. 3B) installed on themobile device. The secure VM may be similar to the mobile operatingsystem's VM, but may point to special code libraries that are added tothe mobile device, including code libraries for performing suchfunctions as encrypting/decrypting data and using application tunnels.The use of a secure VM enables an enterprise's IT department toeffectively add a security layer to a pre-existing mobile applicationwith little or no modification to the application itself. This may bedesirable when, for example, the enterprise wishes to use a popular,commercially available mobile application as an enterprise application,but does not have authorization to (or otherwise does not wish to) makecertain types of modifications to the application.

The secure VM 350C can be loaded with its own set of private librariesfor storage, networking, policy management, etc. For example, some orall of the data stored by an application running in the secure VM 350Ccan use a certain encryption library. The secure VM 350C can implement aset of policies (such as authentication, disabling of cut/paste,prevention of access to certain URLs, prevention of access to certainAPIs etc.) to control execution of the application within the secure VM350C.

The secure VM 350C can block the execution of an application runningtherein based on detecting certain conditions, such as conditionsindicative of the application having a virus or being malware. Hooks canbe added to the secure VM 350C to prevent programs from being executedwhen certain conditions are detected. The secure VM 350C can observe theexecution characteristics of an application running therein to determinethat the application does not have exhibit malicious behavior.

By using a custom VM, all corporate content can essentially be separatedfrom other content stored on the device. Such a custom VM can preventdata or applications from being shared with applications that areexecuted in the default VM of the mobile device 120. Moreover, the dataaccessed and/or manipulated by an application running in the custom VMcan be stored in the secure data container 336 as described above.

In one embodiment, a single secure VM is provided on the mobile device120 for running enterprise applications, and can be used to concurrentlyrun multiple enterprise applications concurrently. In anotherembodiment, multiple secure VMs are provided on the mobile device, suchthat each enterprise application runs within a separate secure VM. Ahybrid of these two approaches is also possible.

A variety of methods can be used to force or configure a pre-existingmobile application to use a secure VM. One such approach involvesmodifying the mobile application to cause it to use a secure launcher350B, as described in the preceding section. When the application islaunched, the secure launcher launches the secure VM, and theneffectively passes the mobile application to the secure VM forexecution. Another approach involves modifying the mobile application byreplacing references to the operating system's default virtual machinewith references to the secure VM. Another approach involves instructingthe mobile device's operating system, at the time of installation of theapplication, to execute the mobile application in the secure VM.

In one embodiment, whenever a mobile application running in the secureVM performs a file read or write operation, the secure VM uses anencryption library to process the data being read or written. The secureVM thereby applies encryption to the enterprise data stored locally byenterprise applications.

Library files used by the secure VM may, in some embodiments, beincorporated into the operating system or otherwise installed on themobile device with the cooperation of the OS developer, devicemanufacture/seller, or other party that has the appropriate permissionlevels for making such additions. The ability to add such library filesgenerally increases the security capabilities of the secure VM, but isnot essential.

One benefit of running an application in a secure VM is that the secureVM can be loaded with an alternate set of private libraries for storage,networking, policy management, etc. For example, a library can be loadedthat causes all data stored by the application to be encrypted using acertain encryption library. Libraries can also be loaded that, forexample, disable cut/copy/paste operations, require user authentication,prevent access to certain URLs, prevent access to certain APIs, etc. Theparticular libraries that are loaded may, for example, depend on therole or position of the user within the enterprise, the particularapplication being launched, and/or other criteria.

Another benefit of running an application in a secure or custom VM isthat the application's execution can be blocked if the applicationexhibits suspicious behaviors of the type present in malware or viruses.This may be accomplished by adding hooks to the secure VM to enable anapplication's execution to be monitored and/or blocked.

The secure or custom VM also provides a mechanism for keeping enterprisecontent separate from other content stored on the device. For example,through the use of the secure VM, the data stored by an enterprise canbe stored in a secure container as described above. This dataadvantageously is not accessible in unencrypted form to the device'sdefault VM or the applications that run within it.

In the context of the Android OS, one method that can be used to launchan application in the secure VM involves the use of the app_processcommand to modify the standard launch sequence. For example, a commandof the following format may be used once Zygote initializes a childprocess: execvp(“/system/bin/app_process”, ..<args>..). (Zygote is aspecial process that is created when Android boots; once created, itopens a server socket to listen for process creation requests.) Thiscall replaces the old executable image with a fresh one, and enables thesecure VM to be loaded with some existing libraries/jars, and with somenew libraries/jars that implement, e.g., enterprise policy push, securestorage, and secure networking features. The new instance is not a shareof Zygote or any other parent process, but rather is a completely newprocess with its own execution environment and added set of behaviors.Once the secure VM is loaded, the following steps can be performed tolaunch the application in the secure VM: (1) the newly created processperforms an “attachment” operation; (2) once the ActivityManagerServicereceives the attach request from the newly created process, it sends thestored intent to it so that ActivityThread will look for the intent inthe application's Manifest and will create that Activity; and (3) itthen starts running the application. These three steps are the same asthe last three steps ordinarily performed when an application islaunched in Android. Android Runtime or any other compatible runtime canbe loaded in the secure VM such that the application is compatible withthe secure VM. This above process can be varied for use with otheroperating systems by those skilled in the art.

An application can be configured or “marked” to use the secure/custom VMin various ways. For example, in the context of Android, the standardcommand “adb shell pm enable (package name)” can be used to set the“enabled” state or flag of the application package. As another example,the enterprise agent installed on the device can, upon installation,make a call to this API and specify all of the applications that willrun in the secure/custom VM. When such an application is later launched,the “enabled” flag can be checked (before Zygote is asked to create/forka new process), and a new secure VM instance can be created based on thestate of this flag. This process can be varied for use with otheroperating systems by those skilled in the art.

CONCLUSION

The secure mobile gateway 128 and the mobile device management system126 may each be implemented by a computer system made up of one or morecomputing devices (e.g., physical servers, workstations, etc.), whichmay, but need not, be co-located. Each such computing device typicallyincludes a processor (or multiple processors) that executes programinstructions or modules stored in a memory or other non-transitorycomputer-readable storage medium or device. The secure mobile gateway128 and mobile device management system 126 may be implemented on commonhardware or on separate and distinct hardware.

All of the methods and processes described above may be embodied in, andfully automated via, software code modules executed by one or morecomputing devices (e.g., smartphones, tablets, other types of mobiledevices, physical servers, etc). Each such computing device typicallyincludes a processor (or multiple processors) that executes programinstructions or modules stored in a memory or other non-transitorycomputer-readable storage medium or device. The code modules may bestored in any type of computer-readable storage medium or other computerstorage device. Some or all of the methods may alternatively be embodiedin specialized computer hardware (e.g., ASICs or FPGAs). Where a givensoftware component (such as the enterprise agent or secure launcher) isherein described as performing or implementing a given function, itshould be understood that the component, through executableinstructions, instructs one or more processors (e.g., the processor of amobile device) to perform or implement the function.

Various modifications to the implementations described in thisdisclosure may be readily apparent to those skilled in the art, and thegeneric principles defined herein may be applied to otherimplementations without departing from the spirit or scope of thisdisclosure. Thus, nothing in this specification is intended to implythat any feature, characteristic, or attribute of the disclosed systemsand processes is essential.

Certain features that are described in this specification in the contextof separate implementations also can be implemented in combination in asingle implementation. Conversely, various features that are describedin the context of a single implementation also can be implemented inmultiple implementations separately or in any suitable subcombination.Moreover, although features may be described above as acting in certaincombinations and even initially claimed as such, one or more featuresfrom a claimed combination can in some cases be excised from thecombination, and the claimed combination may be directed to asubcombination or variation of a subcombination.

Similarly, while operations are depicted in the drawings in a particularorder, this should not be understood as requiring that such operationsbe performed in the particular order shown or in sequential order, orthat all illustrated operations be performed, to achieve desirableresults. In certain circumstances, multitasking and parallel processingmay be advantageous. Moreover, the separation of various systemcomponents in the implementations described above should not beunderstood as requiring such separation in all implementations, and itshould be understood that the described program components and systemscan generally be integrated together in a single software product orpackaged into multiple software products.

What is claimed is:
 1. A mobile device comprising computer-readablestorage and at least one processor configured to executecomputer-executable code stored on the computer-readable storage, themobile device comprising: a secure container component installed on thecomputer-readable storage of the mobile device, the installed securecontainer component implemented by computer executable code stored onthe computer-readable storage of the mobile device to create a securedocument container on the computer-readable storage, the secure documentcontainer comprising a file system for a first portion of thecomputer-readable storage, the secure document container beingencrypted, the secure document container storing first enterprise dataof an enterprise, the first enterprise data including at least oneenterprise document; a second portion of the computer-readable storageof the mobile device, the second portion of the computer-readablestorage storing private data of a user of the mobile device, the privatedata associated with activity of the user that is outside of a role ofthe user in the enterprise, the second portion of the computer-readablestorage being unencrypted, the first portion of the computer-readablestorage being logically separate from the second portion of thecomputer-readable storage, wherein the first enterprise data in thesecure document container is logically separate from the private data inthe second portion of the computer-readable storage; an access managerimplemented by computer-executable code stored on the computer-readablestorage of the mobile device that limits access to the file system forthe first portion of the computer-readable storage based on one or moredocument-access policies that restrict availability of the firstenterprise data stored in the secure document container, wherein anon-enterprise application not associated with the enterprise isprevented from accessing the first enterprise data stored in the securedocument container; and a secure virtual machine implemented bycomputer-executable code stored on the computer-readable storage of themobile device, wherein an enterprise application associated with theenterprise and running in the secure virtual machine is configured toaccess the first enterprise data stored in the secure documentcontainer, wherein the first enterprise data is only accessible by theenterprise application associated with the enterprise after theenterprise application receives correct user credentials from the user,and wherein the document-access policies prevent a second enterprisedocument from being saved in the secure document container, wherein thesecond enterprise document is available for viewing on the mobile deviceonly when the mobile device is connected to a system of the enterprise.2. The mobile device of claim 1, wherein the access manager enables theenterprise to remotely initiate deletion of at least a portion of thefirst enterprise data from the secure document container, withoutmodifying the private data stored in the second portion of thecomputer-readable storage.
 3. The mobile device of claim 1, wherein theaccess manager determines whether to store, in the secure documentcontainer, third enterprise data received from an enterprise computingsystem of the enterprise based on a mode of communication between themobile device and the enterprise computing system, wherein: in a case ofthe mode of communication being a first mode of communication, the thirdenterprise data received from the enterprise computing system is storedin the secure document container, and in a case of the mode ofcommunication being a second mode of communication, the third enterprisedata received from the enterprise computing system is stored in thesecond portion of the computer-readable storage.
 4. The mobile device ofclaim 3, wherein the first mode of communication comprises the mobiledevice receiving the third enterprise data via an application tunnelthrough a tunneling mediator of the enterprise computing system.
 5. Themobile device of claim 1, wherein the access manager prevents, based onthe one or more document-access policies, the non-enterprise applicationnot associated with the enterprise from copying data from the at leastone enterprise document stored in the secure document container.
 6. Themobile device of claim 1, wherein the access manager limits access tothe at least one enterprise document in the secure document containerbased on properties of a software application requesting access to theat least one enterprise document.
 7. The mobile device of claim 1,wherein the access manager prevents, based on the one or moredocument-access policies, a software application from saving the atleast one enterprise document to the second portion of thecomputer-readable storage of the mobile device.
 8. The mobile device ofclaim 1, wherein the access manager prevents, based on the one or moredocument-access policies, a software application from attaching the atleast one enterprise document to an email sent from the mobile device.9. The mobile device of claim 1, comprising an executable componentimplemented by computer-executable code stored on the computer-readablestorage of the mobile device, the executable component configured to:determine that the at least one enterprise document is attached to anemail being send from the mobile device; encrypt the at least oneenterprise document attached to the email being sent from the mobiledevice using an attachment key; encrypt the attachment key; and causetransmission of the encrypted attachment key with the encrypted at leastone enterprise document attached to the email being sent from the mobiledevice.
 10. A method comprising: creating, by a secure containercomponent installed on a mobile device, a secure document container oncomputer-readable storage of the mobile device, the secure documentcontainer being encrypted and comprising a file system for a firstportion of the computer-readable storage, wherein the first portion isseparate from a second portion of the computer-readable storage of themobile device, wherein the second portion of the computer-readablestorage stores private data of a user of the mobile device, the privatedata associated with activity of the user that is outside of a role ofthe user in an enterprise, the second portion of the computer-readablestorage being unencrypted; receiving, by the mobile device, firstenterprise data from an enterprise resource of the enterprise; storing,by the mobile device, the first enterprise data in the secure documentcontainer, the storing occurring automatically under control of anenterprise agent running on the mobile device; selectively controlling,by the mobile device, access to the first enterprise data in the securedocument container in accordance with one or more document-accesspolicies, the one or more document-access policies defining conditionsfor accessing the first enterprise data in the secure documentcontainer, wherein access to the second portion of the computer-readablestorage of the mobile device is provided independent of the one or moredocument-access policies, wherein a non-enterprise application installedon the mobile device and not associated with the enterprise is preventedfrom accessing the first enterprise data in the secure documentcontainer, wherein an enterprise application associated with theenterprise and running in a secure virtual machine on the mobile deviceis configured to access the first enterprise data in the secure documentcontainer, wherein the first enterprise data in the secure documentcontainer is only accessible by the enterprise application associatedwith the enterprise after the enterprise application receives correctuser credentials from the user of the mobile device, and wherein the oneor more document-access policies prevent an enterprise document frombeing saved in the secure document container, wherein the enterprisedocument is available for viewing on the mobile device only when themobile device is connected to a system of the enterprise.
 11. The methodof claim 10, comprising: deleting, by the mobile device, the firstenterprise data in the secure document container responsive to at leastone of an indication that the mobile device is compromised and anindication that the user is no longer associated with the enterprise;and leaving, by the mobile device, the second portion of thecomputer-readable storage of the mobile device unmodified.
 12. Themethod of claim 10, comprising deleting, by the mobile device, the firstenterprise data in the secure document container in response toreceiving an indication of an expiration of a period of time.
 13. Themethod of claim 10, wherein the conditions for accessing the firstenterprise data in the secure document container comprise one or moreof: an expiration of a period of time; and a location of the mobiledevice being outside of a geographical zone.
 14. The method of claim 10,wherein the conditions for accessing the first enterprise data in thesecure document container comprise which component of the mobile devicerequests access to the first enterprise data in the secure documentcontainer.
 15. The method of claim 10, wherein the first enterprise datais received from the enterprise resource via an application tunnelformed between the enterprise resource and an application running on themobile device, the application tunnel using protocol encapsulation tosend data over a network.
 16. The method of claim 15, wherein storingthe first enterprise data in the secure document container of the mobiledevice is at least partly responsive to detecting that the firstenterprise data was received from the enterprise resource via theapplication tunnel.
 17. The method of claim 10, comprising preventingthe first enterprise data in the secure document container from beingsaved to the second portion of the computer-readable storage of themobile device.
 18. The method of claim 10, comprising deleting the firstenterprise data from the secure document container in response toreceiving an indication that a location of the mobile device is outsideof a predefined geographical zone.
 19. A non-transitory storage mediumcomprising instructions stored thereon executable by a processor of amobile device to perform a process comprising: creating, within a firstportion of a memory of the mobile device, a secure document container,the secure document container comprising a file system and beingencrypted, wherein the first portion is separate from a second portionof the memory of the mobile device, wherein the second portion of thememory stores private data of a user of the mobile device, the privatedata associated with activity of the user that is outside of a role ofthe user in an enterprise, and the second portion of the memory beingunencrypted; storing first enterprise data in the secure documentcontainer, the storing occurring automatically under control of anenterprise agent running on the mobile device; storing non-enterprisedata in the second portion of the memory of the mobile device; andrestricting access to the first enterprise data in the secure documentcontainer based on one or more rules defining conditions for allowingaccess to the first enterprise data in the secure document container,wherein access to the second portion of the memory of the mobile deviceis provided independent of the one or more rules, wherein anon-enterprise application installed on the mobile device and notassociated with the enterprise is prevented from accessing the firstenterprise data in the secure document container, wherein an enterpriseapplication associated with the enterprise and running in a securevirtual machine on the mobile device is configured to access the firstenterprise data in the secure document container, wherein the firstenterprise data in the secure document container is only accessible bythe enterprise application associated with the enterprise after theenterprise application receives correct user credentials for the user ofthe mobile device, and wherein the one or more rules prevent anenterprise document from being saved in the secure document container,wherein the enterprise document is available for viewing on the mobiledevice only when the mobile device is connected to a system of theenterprise.
 20. The non-transitory storage medium of claim 19, whereinthe process comprises causing the enterprise application to communicatewith an enterprise resource via an application tunnel formed between theenterprise resource and the enterprise application, the applicationtunnel using protocol encapsulation to send the enterprise data over anetwork.
 21. The non-transitory storage medium of claim 19, wherein theprocess comprises deleting the first enterprise data in the securedocument container without modifying the second portion of the memory ofthe mobile device, in response to at least one of detecting andreceiving an indication of a condition defined in at least one of theone or more rules.
 22. The non-transitory storage medium of claim 19,wherein the one or more rules are configured to restrict access to thefirst enterprise data in the secure document container based on ageographical restriction.
 23. The non-transitory storage medium of claim22, wherein the process comprises deleting at least a portion of thefirst enterprise data from the secure document container in response todetermining that the mobile device is located outside of a definedgeographical area.
 24. The non-transitory storage medium of claim 19,wherein the enterprise application is running in a secure virtualmachine on the mobile device, the secure virtual machine being separatefrom a virtual machine of an operating system of the mobile device, andwherein the one or more rules prevent an application running outside thesecure virtual machine on the mobile device from accessing the firstenterprise data in the secure document container.
 25. The non-transitorystorage medium of claim 19, wherein the process comprises receiving thefirst enterprise data via an application running in a secure browserinstalled on the mobile device, the secure browser configured toregulate access of the application running in the secure browser to thesecure document container.
 26. The non-transitory storage medium ofclaim 25, wherein the secure document container comprises a secure cachefor the secure browser installed on the mobile device, and wherein thesecure browser is configured to: determine that a connection speed of anetwork connection of the mobile device is below a threshold; preventthe application running in the secure browser from detecting that theconnection speed is below the threshold; and store, in the secure cachein the secure document container, data requested to be transmitted overthe network connection by the application running in the secure browser.27. The non-transitory storage medium of claim 19, wherein the one ormore rules are configured to restrict access to the first enterprisedata in the secure document container based on a temporal restriction.28. The non-transitory storage medium of claim 27, wherein the processcomprises deleting at least a portion of the first enterprise data fromthe secure document container when a specified period of time expires.